Safety Considerations Guide, Tricon v9.0 - Tuv-fs.com

TriconVersion 9Safety Considerations GuideTriconex CorporationAn Invensys company

Information in this document is subject to change without notice. Companies,names and data used in examples herein are fictitious unless otherwise noted. Nopart of this document may be reproduced or transmitted in any form or by anymeans, electronic or mechanical, for any purpose, without the express writtenpermission of Triconex Corporation.©2001 Triconex Corporation. All Rights Reserved.Microsoft, Windows, and Windows NT are registered trademarks of MicrosoftCorporation.Modbus is a registered trademark of Modicon Corporation.Triconex is a registered trademark of Triconex Corporation in the USA and othercountries.TriStation 1131 and Tricon are trademarks of Triconex Corporation in the USAand other countries.All other brands or product names may be trademarks or registered trademarks oftheir respective owners.Document No. 9720078-002Printed in the United States of America.

AcknowledgementTriconex acknowledges the generous assistance of TÜV Rheinland/Berlin-Brandenburg in the development of this guide. In addition, their efforts havecontributed to the overall quality and integrity of the Tricon system.TÜV Rheinland/Berlin-Brandenburg aims to “shape technology so that it does notput people and the environment at risk but is of the greatest benefit to them.” Toachieve this aim, TÜV offers support during the complete life cycle of a product,from concept through development and testing to certification.

About This GuideThis manual provides information about safety concepts and standards that applyto the Tricon controller.How This Guide Is OrganizedThis manual is organized as follows:• Chapter 1, “Safety Concepts”—Describes safety issues, safety standards,and implementation of safety measures.• Chapter 2, “Application Guidelines”—Provides information on industryguidelines and recommendations.• Chapter 3, “Fault Management”—Discusses fault tolerance and faultdetection.• Chapter 4, “Application Development”—Discusses methods for developingapplications properly to avoid application faults• Appendix A, “Peer-to-Peer Communication”—Describes the functionblocks intended for use in safety-critical applications and shows theirStructured Text code.Tricon Safety Considerations Guide

viRelated DocumentsRelated DocumentsThe following manuals contain information that is relevant to the use of the system.• Advanced Communication Module User's Guide• Enhanced Intelligent Communication Module User's Manual• Hiway Interface Module User's Guide• Network Communication Module User's Guide• Safety Manager Module User's Guide• Tricon DDE Server User's Guide• Tricon System Access Application Programmer's Reference• Tricon System Aliases Reference Manual• Tricon Planning & Installation Guide• TriStation 1131 Developer's Guide for Tricon Systems• TriStation 1131 Getting Started for Tricon Users• TriStation 1131 Triconex LibrariesTricon Safety Considerations Guide

Abbreviations UsedviiAbbreviations UsedThe controller is hereafter called Tricon, except in cases where the full name mustbe used to ensure clarity. The TriStation 1131 Developer’s Workbench is hereaftercalled TriStation.The following list provides full names for abbreviations of safety terms used in thisguide.BPCSESDHAZOPMOCMTBFPESPFDPHAPSMRMPRRFSILSISSOVSRSSVBasic process control systemEmergency shutdownHazard and operability studyManagement of changeMean time between failureProgrammable electronic systemProbability to fail on demandProcess hazard analysisProcess safety managementRisk management programRisk reduction factorSafety integrity levelSafety-instrumented systemSolenoid-operated valveSafety requirements specificationSafety (relief) valve

viiiHow to Contact TriconexHow to Contact TriconexYou can obtain sales information and technical support for Triconex products fromany regional customer center or from corporate headquarters. To locate regionalcenters, go to which displays the Global Locator page on the Triconex web site at:http://www.triconex.com.Requesting Technical SupportYou can obtain technical support from any regional center and from offices inIrvine, California and Houston, Texas. If you require emergency or immediateresponse and are not a participant in the System Maintenance Program (SMP), youmay incur a charge. After-hours technical support is billed at the rate specified inthe current Customer Satisfaction Price List.Requests for support are prioritized as follows:• Emergency requests are given the highest priority.• Requests from SMP participants and customers with purchase order orcharge card authorization are given next priority.• All other requests are handled on a time-available basis.Gathering Supporting DocumentationBefore contacting corporate technical support, please try to solve the problem byreferring to the Triconex documentation. If you are unable to solve the problem,obtain the following information:• Error messages and other indications of the problem• Sequence of actions leading to the problem• Actions taken after the problem occurred• If the problem involves a Triconex controller, obtain the model numbers andrevision levels for all affected items. This information can be found on themodules, in the System Log Book, or on the TriStation Diagnostic Panel.• If the problem involves software, obtain the product version number byselecting the About topic from the Help menu.Tricon Safety Considerations Guide

Requesting Technical SupportixContacting Triconex Technical SupportIf possible, you should contact your regional customer center for assistance. If youcannot contact your regional center, contact technical support for the type ofsystem you are using, either ESD systems or Turbomachinery systems.Please include the following information in your message:• Your name and your company name.• Your location (city, state, and country).• Your phone number (area code and country code, if applicable).• The time you called.• Whether this is an emergency.Note If you require emergency support and are not an SMP participant, pleasehave a purchase order or credit card available for billing.For ESD SystemsFor ESD systems, contact the Customer Response Center in Irvine, California.Normal business hours are 8:00 A.M. to 5:00 P.M. (Pacific time), Monday throughFriday.You can leave a message at any time.Emergency calls are responded to on a 24-hour daily basis.TelephonePhone: Toll-free at 866-TMR-CALL (866-867-2255), or949-885-0800FaxSend your request to the Technical Support Manager.Fax: Toll-free at 800-325-2134, or949-753-9101

xTrainingFor Turbomachinery SystemsFor turbomachinery systems, contact the Customer Response Center in Houston,Texas. Normal business hours are 8:00 A.M. to 5:00 P.M. (Central time), Mondaythrough Friday. You can leave a message at any time.Emergency calls are responded to on a 24-hour daily basis.TelephonePhone: Toll-free at 866-TMC-HELP (866-862-4357), or281-709-1200FaxSend your request to the Technical Support Manager.Fax: 281-709-0015TrainingIn addition to this documentation, Triconex offers in-house and on-site training.For information on available courses, please contact your regional customer center.Tricon Safety Considerations Guide

xiiTricon Safety Considerations Guide

xiCONTENTSAbout This Guide .................................................................................................... vHow This Guide Is Organized ........................................................................ vRelated Documents ....................................................................................... viAbbreviations Used ...................................................................................... viiHow to Contact Triconex ............................................................................. viiiRequesting Technical Support ................................................................... viiiGathering Supporting Documentation ...................................................... viiiContacting Triconex Technical Support .................................................... ixFor ESD Systems ............................................................................... ixFor Turbomachinery Systems ............................................................. xTraining ........................................................................................................... xChapter 1 Safety Concepts ........................................................................... 1Safety Overview .............................................................................................. 2Protection Layers ....................................................................................... 3SIS Factors ................................................................................................ 4SIL Factors ................................................................................................. 4Hazard and Risk Analysis .............................................................................. 5Safety Integrity Levels ................................................................................ 6Determining a Safety Integrity Level ................................................... 6Example SIL Calculation ............................................................................ 8Safety Life Cycle Model ........................................................................... 10Safety Standards .......................................................................................... 15General Safety Standards ........................................................................ 15DIN V 19250 ...................................................................................... 15DIN V VDE 0801 ............................................................................... 15IEC 61508, Parts 1–7 ........................................................................ 16ANSI/ISA S84.01 ............................................................................... 16Draft IEC 61511, parts 1–3 ................................................................ 16Application-Specific Standards ................................................................ 17DIN VDE 0116 ................................................................................... 17EN 54, Part 3 ..................................................................................... 17NFPA 72 ............................................................................................ 17NFPA 8501 ........................................................................................ 17Tricon Safety Considerations Guide

xiiNFPA 8502 ....................................................................................... 17CSA C22.2 NO 199 ........................................................................... 17Chapter 2 Application Guidelines .............................................................. 19TÜV Rheinland Certification ....................................................................... 20General Guidelines ...................................................................................... 20All Safety Systems .................................................................................. 20Emergency Shutdown Systems .............................................................. 21Burner Management Systems ................................................................. 21Fire and Gas Systems ............................................................................. 22Guidelines for Tricon Controllers ............................................................... 23Safety-Critical Modules ........................................................................... 24Safety-Shutdown ..................................................................................... 24Response Time and Scan Time .............................................................. 24Disabled Points Alarm ............................................................................. 24Disabled Output Voter Diagnostic ........................................................... 25Download All at Completion of Project .................................................... 25Modbus Master Functions ....................................................................... 25Peer-to-Peer Communication .................................................................. 25Sending Node ................................................................................... 25Receiving Node ................................................................................. 26SIL3/AK5 Guidelines ............................................................................... 27Additional Fire and Gas Guidelines .................................................. 28SIL3/AK6 Guidelines ............................................................................... 29Additional Fire and Gas Guidelines .................................................. 30Project Change and Control .................................................................... 30Maintenance Overrides ........................................................................... 32Using Serial Communication ............................................................. 32Additional Recommendations .................................................................. 35Chapter 3 Fault Management ..................................................................... 37System Architecture .................................................................................... 38System Diagnostics ..................................................................................... 39Types of Faults ............................................................................................. 40External Faults ........................................................................................ 40Internal Faults .......................................................................................... 40Operating Modes .......................................................................................... 41Module Diagnostics ..................................................................................... 43Digital Input Modules ............................................................................... 43Digital Input Module Alarms .............................................................. 43Digital Output Modules ............................................................................ 43Digital Output Module Alarms ........................................................... 43Analog Input Modules .............................................................................. 44Tricon Safety Considerations Guide

xiiiAnalog Input Module Alarms ............................................................. 44Analog Output Modules ........................................................................... 44Analog Output Module Field Alarms .................................................. 44Relay Output Modules ............................................................................. 45Relay Output Module Alarms ............................................................ 45Input/Output Processing .......................................................................... 45I/O Module Alarms ............................................................................. 45Main Processor and TriBus ...................................................................... 46External Communication .......................................................................... 46Semaphore Flags .............................................................................. 46System Attributes .............................................................................. 47Chapter 4 Application Development .......................................................... 49Development Guidelines ............................................................................. 50TriStation Install Check ......................................................................... 50Important TriStation Commands ................................................................ 51Download Change ................................................................................... 51Upload and Verify .................................................................................... 52Compare to Last Download ..................................................................... 52Setting Scan Time ........................................................................................ 53Scan Time ................................................................................................ 53Scan Surplus ............................................................................................ 53Scan Overruns .................................................................................. 54Sample Safety-Shutdown Programs .......................................................... 55All I/O Modules Safety-Critical ................................................................. 55Program EX01_SHUTDOWN ............................................................ 56Some I/O Modules Safety-Critical ............................................................ 60Program EX02_SHUTDOWN ............................................................ 61Defining Function Blocks ......................................................................... 65Partitioned Processes .............................................................................. 66Program EX03_SHUTDOWN ............................................................ 67Alarm Usage ................................................................................................. 68Programming Permitted Alarm ................................................................. 68Remote Access Alarm ............................................................................. 68Response Time and Scan Time ............................................................... 68Disabled Points Alarm .............................................................................. 68Appendix A Peer-to-Peer Communication .................................................... 69Data Transfer Time ....................................................................................... 70Tricon Safety Considerations Guide

xivExamples of Peer-to-Peer Applications ..................................................... 72Fast Send to One Triconex Node ............................................................ 72Sending Data Every Second to One Node .............................................. 72Controlled Use of TR_USEND/TR_URCV Function Blocks .................... 73Using TR_USEND/TR_URCV Function Blocks for Safety-Critical Data . 73Sending Node #1 Parameters: ....................................................... 73Receiving Node #3 Parameters: .................................................... 73TR_CRITICAL_IO Function Block ............................................................... 75Instructions for Use ................................................................................. 75Structured Text ........................................................................................ 79TR_SHUTDOWN Function Block ................................................................ 82Structured Text ........................................................................................ 86TR_VOTE_MODE Function Block ............................................................... 90Structured Text ........................................................................................ 92Appendix B Shutdown Function Blocks ...................................................... 95TR_CRITICAL_IO Function Block ............................................................... 96Instructions for Use ................................................................................. 96Structured Text ...................................................................................... 100TR_SHUTDOWN Function Block .............................................................. 103Structured Text ...................................................................................... 107TR_VOTE_MODE Function Block ............................................................. 111Structured Text ...................................................................................... 113Index .................................................................................................................... 115Tricon Safety Considerations Guide

CHAPTER 1Safety ConceptsThis chapter describes background information about safety concepts andstandards.Topics include:“Safety Overview” . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2“Hazard and Risk Analysis” . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5“Safety Standards” . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15“Application-Specific Standards” . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Tricon Safety Considerations Guide

2 Safety OverviewSafety OverviewModern industrial processes tend to be technically complex, involve substantialenergies, and have the potential to inflict serious harm to persons or propertyduring a mishap.The IEC 61508 standard defines safety as “freedom from unacceptable risk.” Inother words, absolute safety can never be achieved; risk can only be reduced to anacceptable level.Safety methods to mitigate harm and reduce risk include:• Changing the process or mechanical design, including plant or equipmentlayout• Increasing the mechanical integrity of equipment• Improving the basic process control system (BPCS)• Developing additional or more detailed training procedures for operationsand maintenance• Increasing the testing frequency of critical components• Using a safety-instrumented system (SIS)• Installing mitigating equipment to reduce harmful consequences; forexample, explosion walls, foams, impoundments, and pressure reliefsystemsMethods that provide layers of protection should be:• Independent• Verifiable• Dependable• Designed for the specific safety riskTricon Safety Considerations Guide

Safety Overview 3Protection LayersThe figure below shows how layers of protection can be used to reduceunacceptable risk to an acceptable level. The amount of risk reduction for eachlayer is dependent on the specific nature of the safety risk and the impact of thelayer on the risk. Economic analysis should be used to determine the appropriatecombination of layers for mitigating safety risks.Acceptable Risk LevelMechanical IntegrityInherent Process RiskSVSISBPCS*Effect of ProtectionLayers on ProcessRisk0Lower RiskProcessHigher Risk* BPCS–Basic process control systemSIS–Safety-instrumented systemSV–Safety (relief) valveWhen an SIS is required, one of the following should be determined:• Level of risk reduction assigned to the SIS• Safety integrity level (SIL) of the SISTypically, a determination is made according to the requirements of the ANSI/ISAS84.01 or IEC 61508 standards during a process hazard analysis (PHA). A processdemand is defined as the occurrence of a process deviation that causes an SIS totransition a process to a safe state.Chapter 1Safety Concepts

4 Safety OverviewSIS FactorsSIL FactorsAccording to the ANSI/ISA S84.01 and IEC 61508 standards, the scope of an SISis restricted to the instrumentation or controls that are responsible for bringing aprocess to a safe state in the event of a failure. The availability of an SIS isdependent upon:• Failure rates and modes of components• Installed instrumentation• Redundancy• Voting• Diagnostic coverage• Testing frequencyA SIL can be considered a statistical representation of the availability of an SIS atthe time of a process demand. A SIL is the litmus test of acceptable SIS design andincludes the following factors:• Device integrity• Diagnostics• Systematic and common cause failures• Testing• Operation• MaintenanceIn modern applications, a programmable electronic system (PES) is used as thecore of a SIS. The Triconex controller is a state-of-the-art PES optimized forsafety-critical applications.Tricon Safety Considerations Guide

Hazard and Risk Analysis 5Hazard and Risk AnalysisIn the United States, OSHA Process Safety Management (PSM) and EPA RiskManagement Program (RMP) regulations dictate that a PHA be used to identifypotential hazards in the operation of a chemical process and to determine theprotective measures necessary to protect workers, the community, and theenvironment. The scope of a PHA may range from a very simple screening analysisto a complex hazard and operability study (HAZOP).A HAZOP is a systematic, methodical examination of a process design that uses amulti-disciplinary team to identify hazards or operability problems that could resultin an accident. A HAZOP provides a prioritized basis for the implementation ofrisk mitigation strategies, such as SISs or ESDs.If a PHA determines that the mechanical integrity of a process and the processcontrol are insufficient to mitigate the potential hazard, an SIS is required. An SISconsists of the instrumentation or controls that are installed for the purpose ofmitigating a hazard or bringing a process to a safe state in the event of a processupset.A compliant program incorporates “good engineering practice.” This means thatthe program follows the codes and standards published by such organizations as theAmerican Society of Mechanical Engineers, American Petroleum Institute,American National Standards Institute, National Fire Protection Association,American Society for Testing and Materials, and National Board of Boiler andPressure Vessel Inspectors. Other countries have similar requirements.Chapter 1Safety Concepts

6 Hazard and Risk AnalysisSafety Integrity LevelsThe figure below shows the relationship of DIN V 19250 classes and safetyintegrity levels (SILs). As a required SIL increases, SIS integrity increases asmeasured by:• System availability (expressed as a percentage)• Average probability-to-fail-on-demand (PFD avg )• Risk reduction factor (RRF, reciprocal of PFD avg )The relationship between AK class and SIL is extremely important and should notbe overlooked. These designations were developed in response to serious incidentsthat resulted in the loss of life, and are intended to serve as a foundation for theeffective selection and appropriate design of safety-instrumented systems.Risk99.99999.990.000010.0001>10,000SIL 4AK 8AK 7Standards andRisk MeasuresReductIon99.9099.0090.00PercentAvailability0.0010.010.1PFD avg10,000–1,0001,000–100100–10RRFSIL 3SIL 3SIL 2 SIL 2SIL 1ANSI/ISAS84.01SIL 1IEC61508AK 6AK 5AK 4AK 3AK 2AK 1DIN V19250Risk MeasuresRisk StandardsDetermining a Safety Integrity LevelIf a PHA concludes that an SIS is required, ANSI/ISA S84.01 and IEC 61508require that a target SIL be assigned. The assignment of a SIL is a corporatedecision based on risk management and risk tolerance philosophy. Safetyregulations require that the assignment of SILs should be carefully performed andthoroughly documented.Tricon Safety Considerations Guide

Hazard and Risk Analysis 7Completion of a HAZOP determines the severity and probability of the risksassociated with a process. Risk severity is based on a measure of the anticipatedimpact or consequences, including:• On-site consequences• Worker injury or death• Equipment damage• Off-site consequences• Community exposure, including injury and death• Property damage• Environmental impact• Emission of hazardous chemicals• Contamination of air, soil, and water supplies• Damage to environmentally sensitive areasA risk probability is an estimate of the likelihood that an expected event will occur.A risk probability is classified as high, medium, or low, and is often based on acompany’s or a competitor’s operating experience.Several methods of converting HAZOP data into SILs are used. Methods rangefrom making a corporate decision on all safety system installations to morecomplex techniques, such as an IEC 61508 risk graph.Chapter 1Safety Concepts

8 Hazard and Risk AnalysisExample SIL CalculationAs a PES, the controller is designed to minimize its contribution to the SIL, therebyallowing greater flexibility in the SIS design.Comparison ofPercent Availabilityand PFDRiskReductIon99.9999 0.00000199.999 0.0000199.99 0.000199.00 0.0190.00 0.1PercentAvailabilityRisk MeasuresPFDTricon PES*99.90 0.001 SIL 3 SIS* Tricon controller failure rates have been independently calculated by FactoryMutual System. A copy of Factory Mutual Technical Report, “An Estimation of theFailure Rates for Modules Used in the Triconex Tricon 9 System,” FMRC J.I.003003840, is available upon request.Safety Integrated SystemSimplified Diagramof Key Elements3 PressureTransmitters (2oo3)SensorsTMR Controller(2oo3)PES/Logic Solver2 Block Valvesin Series (1oo2)Final Elements3 TemperatureTransmitters (2oo3)Tricon Safety Considerations Guide

Hazard and Risk Analysis 9Equation for Calculating PFD avg for SensorsThe following simplified equation may be used to calculate PFD avg for sensors(2oo3):PFD avg = (λ DU *TI) 2where the following variables are supplied by the manufacturer:λ = failure rateDU = dangerous, undetected failure rateTI = test interval in hoursEquation for Calculating PFD avg for Block ValvesThe following simplified equation may be used to calculate PFD avg for blockvalves (1oo2) in series (final elements):PFD avg = 1/3(λ DU *TI) 2where the following variables are supplied by the manufacturer:λ = failure rateDU = dangerous, undetected failure rateTI = test interval in hoursEquation for Calculating PFD avg for SystemThe following simplified equation may be used to calculate PFD avg for a system.System PFD avg = Sensors PFD avg + Block Valves PFD avg + Controller PFD avgChapter 1Safety Concepts

10 Hazard and Risk AnalysisUsing the EquationsλDU TI PFD ResultPressure Transmitters (2oo3) 2.28E-06 4380 1.00E-04Temperature Transmitters (2oo3) 2.85E-06 4380 1.56E-04Total for Sensors2.56E-04Block Valves (1oo2) 2.28E-06 4380 3.33E-05Total for Block Valves3.33E-05Tricon Controller2.00E-05PFD avg for System 3.09 E-04To determine the SIL, compare the calculated PFD avg to the figure on page 8. Inthis example, the system is acceptable as an SIS for use in SIL3 applications.Safety Life Cycle ModelThe necessary steps for designing an SIS from conception throughdecommissioning are described in the safety life cycle.Before the safety life cycle model is implemented, the following requirementsshould be met:• Hazard and operability study has been completed• SIS requirement has been determined• Target SIL has been determinedTricon Safety Considerations Guide

Hazard and Risk Analysis 11Flowchart of SafetyLife CycleStartDesignconceptual processPerform processhazard analysisand riskassessmentApply non-SISprotection layers toprevent identifiedhazards or reduceriskDevelop safetyrequirementsdocumentPerform SISconceptualdesign and verifyit meets the SRSPerform SISdetail designEstablish operationand maintenanceprocedurePre-start-upsafety reviewassessmentSIS start-upoperation,maintenance,periodic functionaltestingExitNoSIS required?YesDefine target SILSIS installation,commissioning,and pre-startupacceptance testConceptual process designModifyModify ordecommissionSIS?DecommissionSISdecommissioningS84.01 ConcernChapter 1Safety Concepts

12 Hazard and Risk Analysis▼PES Steps in a Safety Life Cycle:1 Develop a safety requirement specification.An SRS consists of safety functional requirements and safety integrityrequirements. An SRS can be a collection of documents or information.Safety functional requirements specify the logic and actions to be performed byan SIS and the process conditions under which actions are initiated. Theserequirements include such items as consideration for manual shutdown, loss ofenergy source, etc.Safety integrity requirements specify a SIL and the performance required forexecuting SIS functions. Safety integrity requirements include:• Required SIL for each safety function• Requirements for diagnostics• Requirements for maintenance and testing• Reliability requirements if the spurious trips are hazardous2 For conceptual design, an engineer should:• Define the SIS architecture to ensure the SIL is met; e.g. voting 1oo1,1oo2, 2oo2, 2oo3• Define the logic solver to meet the highest SIL if different SIL levels arerequired in a single logic solver• Select a functional test interval to achieve the SIL• Verify the conceptual design against the SRS3 Develop a detail design including:• General requirements• SIS logic solver• Field devices• Interfaces• Energy sources• System environment• Application logic requirements• Maintenance or testing requirementsTricon Safety Considerations Guide

Hazard and Risk Analysis 13Some key ANSI/ISA S84.01 requirements are:• The logic solver shall be separated from the basic process control system• Sensors for SIS shall be separated from the sensors for the BPCS• The logic system vendor shall provide:– MTTF data– Covert failure listing– Frequency of occurrence of identified covert failures• Each individual field device shall have its own dedicated wiring to thesystem I/O. Using a field bus is not allowed!• A control valve from the BPCS shall not be used as a single final elementfor SIL3• The operator interface may not be allowed to change the SIS applicationsoftware• Forcing shall not be used as a part of application software or operatingprocedures• When on-line testing is required, test facilities shall be an integral part ofthe SIS design4 Develop a pre-start-up acceptance test procedure that provides a fully functionaltest of the SIS to verify conformance with the SRS.5 Before startup, establish operational and maintenance procedures to ensure thatthe SIS functions comply with the SRS throughout the SIS operational life,including:• Training• Documentation• Operating procedures• Maintenance program• Testing and preventive maintenance• Functional testing• Documentation of functional testing6 Before start-up, complete a safety review.Chapter 1Safety Concepts

14 Hazard and Risk Analysis7 Define procedures for the following:• Start-up• Operations• Maintenance, including administrative controls and written proceduresthat ensure safety if a process is hazardous while an SIS function is beingbypassed• Training that complies with national regulations (e.g., OSHA 29 CFR1910.119)• Functional testing to detect covert faults that prevent the SIS fromoperating according to the SRS• SIS testing, including:– Sensors– Logic solver– Final elements (e.g., shutdown valves, motors, etc.)8 To ensure that no unauthorized changes are made to an application program, asmandated by OSHA 29 CFR 1910.119, follow management of change (MOC)procedures.9 To ensure proper review, decommission an SIS before its permanent retirementfrom active service.Tricon Safety Considerations Guide

Safety Standards 15Safety StandardsOver the past several years, there has been rapid movement in many countries todevelop standards and regulations to minimize the impact of industrial accidentson citizens. The standards described below apply to typical applications.General Safety StandardsDIN V 19250In Germany, the methodology of defining the risk to individuals is established inDIN V 19250, “Control Technology; Fundamental Safety Aspects To BeConsidered for Measurement and Control Equipment.” DIN V 19250 establishesthe concept that safety systems should be designed to meet designated classes,Class 1 (AK1) through Class 8 (AK8). The choice of the class is dependent on thelevel of risk posed by the process. DIN V 19250 attempts to force users to considerthe hazards involved in their processes and to determine the integrity of therequired safety-related system.DIN V VDE 0801As the use of programmable electronic systems in safety system designs hasbecome prevalent, it is necessary to determine whether the design of a PES issufficiently rigorous for the application and for the DIN V 19250 class. DIN VVDE 0801, “Principles for Computers in Safety-Related Systems,” sets forth thefollowing specific measures to be used in evaluating a PES:• Design• Coding (system level)• Implementation and integration• ValidationEach measure is divided into specific techniques that can be thoroughly tested anddocumented by independent persons. Thus, DIN V VDE 0801 provides a means ofdetermining if a PES meets certain DIN V 19250 classes.Chapter 1Safety Concepts

16 Safety StandardsIEC 61508, Parts 1–7The IEC 61508 standard, “Functional Safety: Safety Related Systems,” is aninternational standard designed to address a complete SIS for the process, transit,and medical industries. The standard introduces the concept of a safety life cyclemodel (see the flowchart on page 11) to illustrate that the integrity of an SIS is notlimited to device integrity, but is also a function of design, operation, testing, andmaintenance.The standard includes 4 SILs that are indexed to a specific probability-to-fail-ondemand(PFD) (see figure on page 6). A SIL assignment is based on the requiredrisk reduction as determined by a PHA.ANSI/ISA S84.01ANSI/ISA S84.01-1996 is the United States standard for safety systems in theprocess industry. The SIL classes from IEC 61508 are used and the DIN V 19250relationships are maintained. ANSI/ISA S84.01-1996 does not include the highestSIL class, SIL 4. The S84 Committee determined that SIL 4 is applicable formedical and transit systems in which the only layer of protection is the safetyinstrumentedlayer. In contrast, the process industry can integrate many layers ofprotection in the process design. The overall risk reduction from these layers ofprotection is equal to or greater than that of other industries.Draft IEC 61511, parts 1–3The IEC 61511 standard, “Functional Safety: Safety Instrumented Systems for theProcess Industry Sector,” is an international standard designed to be used as acompanion to IEC 61508. IEC 61508 is intended primarily for manufacturers andsuppliers of devices. IEC 61511 is intended for SIS designers, integrators, andusers in the process-control industry.Tricon Safety Considerations Guide

Safety Standards 17Application-Specific StandardsDIN VDE 0116DIN VDE 0116 “Electrical Equipment Of Furnaces,” outlines the Germanrequirements for burner management applications.EN 54, Part 3EN 54, Part 3, “Components of Automatic Fire Detection System: Control andIndicating Equipment,” outlines the European requirements for fire detectionsystems.NFPA 72NFPA 72, “National Fire Alarm Code,” outlines the United States requirements forfire alarm systems.NFPA 8501NFPA 8501, Standard for Single Burner Boiler Operation,” outlines the UnitedStates requirements for operations using single burner boilers.NFPA 8502NFPA 8502, Standard for the Prevention of Furnace Explosions/Implosions inMultiple Burner Boilers,” outlines the United States requirements for operationsusing multiple burner boilers.CSA C22.2 NO 199CSA C22.2 NO 199, “Combustion Safety Controls and Solid-State Igniters for Gasand Oil-Burning Equipment,” outlines the Canadian requirements for burnermanagement applications.Chapter 1Safety Concepts

18 Safety StandardsTricon Safety Considerations Guide

CHAPTER 2Application GuidelinesThis chapter provides information on industry guidelines.Topics include:“TÜV Rheinland Certification” . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20“General Guidelines” . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20“Guidelines for Tricon Controllers” . . . . . . . . . . . . . . . . . . . . . . . . . 23Tricon Safety Considerations Guide

20 TÜV Rheinland CertificationTÜV Rheinland CertificationWhen used as a PES in an SIS, the Tricon controller and its companionprogramming workstation, the TriStation 1131 Developer’s Workbench, havebeen certified by TÜV Rheinland/Berlin-Brandenburg to meet the requirements ofDIN 19250 AK5-AK6 and IEC 61508 SIL3. If these standards apply to yourapplication, compliance with the guidelines described in this chapter is highlyrecommended.General GuidelinesAll Safety SystemsThis section describes standard industry guidelines that apply to:• All safety systems• Emergency shutdown (ESD) systems• Fire and gas systems• Burner management systemsThe following general guidelines apply to all user-written safety applicationprograms and procedures:• Functional testing is recommended to verify the correct design andoperation.• After a safety system is commissioned, no changes to the system software(operating system, I/O drivers, diagnostics, etc.) are allowed without typeapproval and re-commissioning. Any changes to the application or thecontrol program should be made under strict change-control procedures. Formore information on change-control procedures, see section “ProjectChange and Control” on page 30. All changes should be thoroughlyreviewed, audited, and approved by a safety change control committee orgroup. After an approved change is made, it should be archived.• In addition to printed documentation of the application program, two copiesof the program should be archived on an electronic medium which is writeprotectedto avoid accidental changes.Tricon Safety Considerations Guide

General Guidelines 21• Under certain conditions, a PES may be run in a mode which allows anexternal computer or operator station to write to system attributes. This isnormally done by means of a communication link. The following guidelinesapply to writes of this type:– Serial communication should use Modbus or another approved protocolwith CRC checks.– Serial communication should not be allowed to write directly to outputpoints.– For information about writes to safety-related variables that result indisabling safety action, see section “Module Diagnostics” on page 43.• PID and other control algorithms should not be used for safety-relatedfunctions. Each control function should be checked to verify that it does notprovide a safety-related function.• An SIS PES should be wired and grounded according to the proceduresdefined by the manufacturer.Emergency Shutdown SystemsThe safe state of the plant should be a de-energized or low (0) state.For ESD functions, it is recommended that the hardware devices connected to PESoutputs should be made of fail-safe components or should have two separate,independent shutdown paths which are periodically inspected.Burner Management SystemsThe safe state of the plant should be a de-energized or low (0) state.When a safety system is required to conform with the DIN 0116 standard forelectrical equipment in furnaces, PES throughput time should ensure that a safeshutdown can be performed within one second after a problem in the process isdetected.Chapter 2Application Guidelines

22 General GuidelinesFire and Gas SystemsFire and gas applications typically do not have a safe state and should operatecontinuously to provide protection. The following industry guidelines apply:• If inputs and outputs are energized to mitigate a problem, a PES systemshould detect and alarm open and short circuits in the wiring between thePES and the field devices.• An entire PES system should have redundant power supplies. Also, thepower supplies that are required to activate critical outputs and read safetycriticalinputs should be redundant. All power supplies should be monitoredfor proper operation.• De-energized outputs may be used for normal operation. To initiate actionto mitigate a problem, the outputs are energized. This type of system shouldmonitor the critical output circuits to ensure that they are properlyconnected to the end devices.Tricon Safety Considerations Guide

Guidelines for Tricon Controllers 23Guidelines for Tricon ControllersThe following topics relate to industry guidelines that are specific to Triconcontrollers when used as a PES in an SIS:• Safety-critical modules• Safe shutdown• Programming lockout alarm• Remote access alarm• Scan time and response time alarm• Disabled points alarm• Disabled output voters• Download all• Use of Peer-to-Peer functions• Modbus master functions• SIL3/AK5 guidelines• SIL3/AK5 fire and gas guidelines• SIL3/AK6 guidelines• SIL3/AK6 fire and gas guidelines• Project change and controlChapter 2Application Guidelines

24 Guidelines for Tricon ControllersSafety-Critical ModulesIt is recommended that only the following modules be used for safety-criticalapplications:• Main Processor Modules, all models• Communication Modules, all models• Digital Input Modules, all models• Digital Output Modules, all models• Analog Input Modules, all models• Analog Output Module, Model #3805 only• Pulse Totalizer Input ModuleThe Relay Output Module is recommended for non-safety-critical points only.Safety-ShutdownA safety application should include a network that initiates a safe shutdown of theprocess being controlled when a controller operates in a degraded mode for aspecified maximum time.The Triconex Library provides two function blocks to simplify programming asafety-shutdown application: TR_SHUTDOWN and TR_CRITICAL_IO. To seethe Structured Text code for these function blocks, see Appendix A, “Peer-to-PeerCommunication.” For more information on safety-shutdown networks, see section“Sample Safety-Shutdown Programs” on page 55.Response Time and Scan TimeScan time must be set below 50% of the required response time. If scan time isgreater than 50%, an alarm should be available.Disabled Points AlarmA project should not contain disabled points unless there is a specific reason fordisabling them, such as initial testing. An alarm should be available to alert theoperator that a point is disabled.Tricon Safety Considerations Guide

Guidelines for Tricon Controllers 25Disabled Output Voter DiagnosticA safety application may not disable the output voter diagnostic.Download All at Completion of ProjectWhen development and testing of a safety application is completed, use theDownload All command on the Control Panel to completely re-load the applicationto the controller.Modbus Master FunctionsModbus Master functions are designed for use with non-critical I/O points only.These functions should not be used for safety-critical I/O points or for transferringsafety-critical data using the MBREAD and MBWRITE functions.Peer-to-Peer CommunicationPeer-to-Peer communication enables Triconex controllers (also referred to asnodes) to send and receive information. If a node sends critical data to another nodethat makes safety-related decisions, you must ensure that the application on thereceiving node can determine whether it has received new data.If new data is not received within the time-out period (equal to half of theprocessing-tolerance time), the application on the receiving node should be able todetermine the action to take. The actions may include one or more of the following:• Use the last data received for safety-related decisions in the application.• Use default values for safety-related decisions in the application.• Monitor the status of the TR_URCV and TR_PORT_STATUS functions todetermine whether there is a network problem that requires operatorintervention.The specific actions that an application should take depends on the unique safetyrequirements of your particular process. The sections that follow summarize themain types of actions entailed in the use of Peer-to-Peer send and receive functions.Sending NodeThe actions required in the logic of the sending application are:Chapter 2Application Guidelines

26 Guidelines for Tricon Controllers• The sending node must set the SENDFLG parameter in the send call to true(1) so that the sending node sends new data as soon as the acknowledgmentfor the last data is received from the receiving node.• The TR_USEND function block must include a diagnostic integer variablethat is incremented with each new send initiation so that the receiving nodecan check this variable for changes every time it receives new data. Thisnew variable should have a range of 1 to 65,565 where the value 1 is sentwith the first sample of data. When this variable reaches the limit of 65,565,the sending node should set this variable back to 1 for the next data transfer.This diagnostic variable is required because the communication path is nottriplicated like the I/O system.• The number of TR_USEND functions in an application must be less than orequal to five because the controller only initiates five TR_USEND functionsper scan. To send data as fast as possible, the TR_USEND function must beinitiated as soon as the acknowledgment for the last data is received fromthe receiving node.• The sending application must monitor the status of the TR_URCV andTR_PORT_STATUS functions to determine whether there is a networkproblem that requires operator intervention.Receiving NodeThe types of actions required in the logic of the receiving application are:• To transfer safety-critical data, the basic rule is that the receiving node mustreceive at least one sample of new data within the maximum time-out limit.If this does not happen, the application for the receiving node must take oneor more of the following actions, depending on requirements:– Use the last data received for safety-related decisions.– Use default values for safety-related decisions in the application.– Check the status of the TR_URCV and TR_PORT_STATUS functions tosee whether there is a network problem that requires operatorintervention.• The receiving node must monitor the diagnostic integer variable every timeit receives new data to determine whether this variable has changed fromlast time.• The receiving program must monitor the status of the TR_URCV andTR_PORT_STATUS functions to determine if there is a network problemthat requires operator intervention.Tricon Safety Considerations Guide

Guidelines for Tricon Controllers 27For information on data transfer time and examples of how to use Peer-to-Peerfunctions to transfer safety-critical data, see Appendix A, “Peer-to-PeerCommunication”.SIL3/AK5 GuidelinesFor SIL3/AK5 applications, the following guidelines should be followed:• If non-approved modules are used, the inputs and outputs should be checkedto verify that they do not affect safety-critical functions of the controller.• Two modes control write operations from external hosts:– Remote Mode—When the keyswitch setting is REMOTE, externalhosts, such as Modbus master, DCS, etc., can write to aliased variables inthe controller. When false, writes are prohibited.– Program Mode—When the keyswitch setting is PROGRAM, TriStationcan make program changes, including operations that modify thebehavior of the programs currently running. (For example, DownloadAll, Download Change, declaring variables, enabling/disablingvariables, changing values of variables and scan time, etc.)Remote mode and program mode are independent of each other. In safetyapplications, operation in these modes is not recommended. In other words,write operations to the controller from external hosts should be prohibited. Ifremote mode or program mode becomes true, the application programshould include the following safeguards:– When remote mode is true:• A program should turn on an alarm. For example, if using theTR_SHUTDOWN function block, the ALARM_REMOTE_ACCESSoutput could be used.• Aliased variables should be checked for adherence to the guidelinesdescribed in section “Maintenance Overrides” on page 32.– When program mode is true:• A program should turn on an alarm. For example, if using theTR_SHUTDOWN function block, theALARM_PROGRAMMING_PERMITTED output could be used.• Wiring and grounding procedures outlined in the Tricon Planning &Installation Guide should be followed.Chapter 2Application Guidelines

28 Guidelines for Tricon Controllers• Maintenance instructions outlined in the Tricon Planning & InstallationGuide should be followed.• If degradation to dual mode occurs, continued operation without repairshould be limited to 1500 hours (two months).• If degradation to single mode occurs, continued operation without repairshould be limited to 72 hours (three days).• The GATENB function allows external hosts to write selected aliasedvariables even when the remote mode is false. A network using theGATENB function should be thoroughly validated to ensure that only theintended aliased variable range is used.• Remote Peer-to-Peer connections must be programmed according to therecommendations in the section “Peer-to-Peer Communication” on page 25.Additional Fire and Gas Guidelines• Analog input cards with current loop terminations should be used to readdigital inputs. Opens and shorts in the wiring to the field devices should bedetectable. The Triconex library function, LINEMNTR, should be used tosimplify program development.• A controller should be powered by two independent sources.• If outputs are normally de-energized, a Supervised Digital Output Moduleshould be used to verify proper connection to the final control element andto check the load and the wiring for potential shorts.• If degradation to dual mode or single mode occurs, repairs should be timelyand limits for maximum time in degraded mode should not be imposed toensure maximum availability.Tricon Safety Considerations Guide

Guidelines for Tricon Controllers 29SIL3/AK6 GuidelinesFor SIL3/ AK6 applications, the following guidelines should be followed:• DIN V VDE 19250/AK6 applications that require continued operation afterdetecting an output failure must have a secondary means of operating theoutput. A secondary means may be an external group relay or a single pointon an independent output module that controls a group of outputs. If a relayis used, it should be checked at least every six months, manually orautomatically.• If non-approved modules are used, the inputs and outputs should be checkedto verify that they do not affect safety-critical functions of the controller.• Two modes control write operations from external hosts:– Remote Mode—When the keyswitch setting is REMOTE, externalhosts, such as Modbus master, DCS, etc., can write aliased data in thecontroller. When false, writes are prohibited.– Program Mode—When the keyswitch setting is PROGRAM, TriStationcan make program changes, including operations that modify thebehavior of the programs currently running. (For example, DownloadAll, Download Change, declaring variables, enabling/disablingvariables, changing values of variables and scan time, etc.)Remote mode and program mode are independent of each other. In safetyapplication, operation in these modes is not recommended. In other words,write operations to the controller from external hosts should be prohibited. Ifremote mode or program mode becomes true, the application programshould include the following safeguards:– When remote mode is true:• A program should turn on an alarm. For example, if using theTR_SHUTDOWN function block, the ALARM_REMOTE_ACCESSoutput could be used.• Aliased variables should be checked for adherence to the guidelinesdescribed in section “Maintenance Overrides” on page 32.– When program mode is true:• A program should turn on an alarm. For example, if using theTR_SHUTDOWN function block, theALARM_PROGRAMMING_PERMITTED output could be used.• Wiring and grounding procedures outlined in the Tricon Planning &Installation Guide should be followed.Chapter 2Application Guidelines

30 Guidelines for Tricon Controllers• Maintenance instructions outlined in the Tricon Planning & InstallationGuide should be followed.• If degradation to dual mode occurs, continued operation without repairshould be limited to 1500 hours (two months).• If degradation to single mode occurs, continued operation without repairshould be limited to one hour.• The GATENB function allows external hosts to write selected aliasedvariables even when the remote mode is false. A network using theGATENB function should be thoroughly validated to ensure that only theintended aliased variable range is used.Additional Fire and Gas GuidelinesProject Change and Control• Analog input cards with current loop terminations should be used to readdigital inputs. Opens and shorts in the wiring to the field devices should bedetectable. The Triconex library function, LINEMNTR, should be used tosimplify program development.• A controller should be powered by two independent sources.• If outputs are normally de-energized, a Supervised Digital Output Moduleshould be used to verify proper connection to the final control element andto check the load and the wiring for potential shorts.• If degradation to dual mode or single mode occurs, repairs should be timelyand limits for maximum time in degraded mode should not be imposed toensure maximum availability.A change to a project, however minor, should comply with the guidelines of yourorganization’s change control committee. The following steps are recommended:1 Generate a change request defining all changes and reasons for changes, thenobtain approval for the changes from the Safety Change Control Committee(SCCC).2 Develop a specification for changes, including a test specification, then obtainapproval for the specification from the SCCC.3 Make the appropriate changes to the project, including those related to design,operation, or maintenance documentation.Tricon Safety Considerations Guide

Guidelines for Tricon Controllers 314 To verify that the configuration in the controller matches the last downloadedconfiguration, use the Upload and Verify command on the Control Panel. Fordetails, see section “Upload and Verify” in the TriStation 1131 Developer'sGuide for Tricon Systems.5 Compare the configuration in your project with the configuration that was lastdownloaded to the controller by printing the Configuration Differences reportfrom the Configuration editor. For details, see section “Compare to LastDownload” in the TriStation 1131 Developer's Guide for Tricon Systems.6 Print all logic elements and verify that the changes to networks within eachelement do not affect other sections of the application.7 Test the changes according to the test specification by using the EmulatorControl Panel.8 Write a test report.9 Review and audit all changes and test results with the SCCC.10 When approved by the SCCC, download the changes to the controller.• You may make minor changes on-line only if the changes are absolutelynecessary and are tested thoroughly.• To enable a Download Change command, select the EnableProgramming option in the Set Programming Mode dialog box on theControl Panel if it is not already selected.Note Changing the operating mode to PROGRAM should generate an alarm toremind the operator to return the operating mode to run as soon as possible afterthe Download Change. For more information, see section “Programming PermittedAlarm” on page 68.11 Save the downloaded project in TriStation and back up the project.12 Archive two copies of the project file and all associated documentation.Chapter 2Application Guidelines

32 Guidelines for Tricon ControllersMaintenance OverridesThree methods can be used to check safety-critical devices connected tocontrollers:• Special switches are connected to inputs to a controller that deactivate theactuators and sensors undergoing maintenance. The maintenance conditionis handled in the logic of the control program.• Sensors and actuators are electrically disconnected from a controller andmanually checked using special measures.• Serial communication to a controller activates the maintenance overridecondition. This method is useful when space is limited and the maintenanceconsole should be integrated with the operator display.Using Serial CommunicationFor maintenance overrides, two options for serial connection are available:• DCS connection using Modbus RTU protocol (or another approved serialprotocol)• TriStation PC connection, which requires additional, industry-standardsafety measures in a controller to prevent downloading a program changeduring maintenance intervals. For more information on TriStation, seesection “Alarm Usage” on page 68.Tricon Safety Considerations Guide

Guidelines for Tricon Controllers 33Design RequirementsThe following table describes design requirements for handling maintenanceoverrides when using serial communication.Design RequirementsControl program logic and thecontroller configuration determinewhether the desired signal can beoverridden.Control program logic and/orsystem configuration specifywhether simultaneous overriding inindependent parts of theapplication is acceptable.Controller activates the override.The operator should confirm theoverride condition.Direct overrides on inputs andoutputs are not allowed, but shouldbe checked and implemented inrelation to the application.Multiple overrides in a controllerare allowed as long as only oneoverride applies to each safetycriticalgroup. The controller alarmshould not be overridden.DCS warns the operator about anoverride condition. The operatorcontinues to receive warnings untilthe override is removed.A second way to remove themaintenance override conditionshould be availableIf urgent, a maintenance engineermay remove the override using ahard-wired switch.DCSProject Engineer,CommissionerProject EngineerOperator,Maintenance EngineerProject EngineerProject Engineer,CommissionerProject EngineerResponsible PersonTriStationProject Engineer,CommissionerProject Engineer,Type ApprovalMaintenance Engineer,Type ApprovalProject Engineer,Type ApprovalN/AMaintenance Engineer,Type ApprovalChapter 2Application Guidelines

34 Guidelines for Tricon ControllersDesign RequirementsDuring an override, properoperating measures should beimplemented. The time span foroverriding should be limited to oneshift (typically no longer than 8hours). A maintenance overrideswitch (MOS) light on the operatorconsole should be provided (oneper a controller or process unit).DCSProject Engineer,Commissioner, DCS,TriStationResponsible PersonTriStationOperating RequirementsThe following table describes operating requirements for handling maintenanceoverrides when using serial communication.Operating RequirementsDCSResponsible PersonTriStationMaintenance overrides areenabled for an entire controller orfor a subsystem (process unit).Controller activates an override.The operator should confirm theoverride condition.Controller removes an override.Operator,Maintenance EngineerOperator,Maintenance EngineerOperator,Maintenance EngineerMaintenance Engineer,Type ApprovalMaintenance Engineer,Type ApprovalMaintenance EngineerTricon Safety Considerations Guide

Guidelines for Tricon Controllers 35Additional RecommendationsThe following procedures are recommended in addition to the recommendationsdescribed in the tables on page 33 and page 34:• A DCS program should regularly verify that no discrepancies exist betweenthe override command signals issued by a DCS and override-activatedsignals received by a DCS from a PES. The following diagram depicts thisprocedure:Safety-Instrumented SystemControllerSensorsSafeguardingApplicationProgramActuatorsPES Block DiagramHard-WiredSwitchMaintenanceOverride Handling(Application Program)OperatorWarningDistributedControl SystemInputsEngineeringWorkstation• Use of the maintenance override capability should be documented in a DCSor TriStation log. The documentation should include:– Begin- and end-time stamps of the maintenance override.– Identification of the maintenance engineer or operator who activates amaintenance override. If the information cannot be printed, it should beentered in a work-permit or maintenance log.– Tag Name of the signal being overridden.– Communication packages that are different from a type-approvedModbus should include CRC, address check, and check of thecommunication time frame.– Loss of communication should lead to a warning to the operator andmaintenance engineer. After loss of communication, a time-delayedremoval of the override should occur after a warning to the operator.Chapter 2Application Guidelines

36 Guidelines for Tricon ControllersTricon Safety Considerations Guide

CHAPTER 3Fault ManagementThis chapter discusses system architecture and diagnostics, types of faults,operating modes, and module diagnostics.Topics include:“System Architecture” . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38“System Diagnostics” . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39“Types of Faults” . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40“Operating Modes” . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41“Module Diagnostics” . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43Tricon Safety Considerations Guide

38 System ArchitectureSystem ArchitectureThe controller has been designed from its inception with self-diagnostics as aprimary feature. Triple-Modular Redundant (TMR) architecture (shown below)ensures fault tolerance and provides error-free, uninterrupted control in the eventof hard failures of components or transient faults from internal or external sources.Each I/O module houses the circuitry for three independent channels. Each channelon the input modules reads the process data and passes that information to itsrespective main processor. The three Main Processor (MP) Modules communicatewith each other using a proprietary, high-speed bus system called the TriBus.Fault information is available to an application. It is critical that an applicationproperly manage fault information to avoid an unnecessary shutdown of a processor plant.Auto SpareAuto SpareInputChannelAI/O BusTriBusMainProcessorAOutputChannelATypical TriconSystemInputTerminationInputChannelBInputChannelCMainProcessorBTriBusI/O BusI/O BusMainProcessorCTriBusOutputChannelBOutputChannelCVoterOutputTerminationTricon Safety Considerations Guide

System Diagnostics 39System DiagnosticsTo improve system availability and safety, a safety system must be able to detectfailures and provide the means for managing failures properly. The controller’sdiagnostics may be categorized as:• Reference diagnostics—comparing an operating value to a predeterminedreference, such as a system specification• Comparison diagnostics—comparing one component to another, such asone independent channel with two other independent channels• Field device diagnostics—diagnostics are extended to a system’s fielddevices and wiringChapter 3Fault Management

40 Types of FaultsTypes of FaultsExternal FaultsA controller is subject to external faults and internal faults, which are reported bythe:• Status indicators on a module’s front panels• Diagnostic Panel in TriStation• System attributes on the Control Panel in TriStationA controller may experience the following types of external faults:• Logic power faults• Field power faults• Load or fuse faultsWhen an external fault occurs, the controller asserts an alarms. How the alarm iscommunicated is module-specific. In some cases, a yellow alarm indicator isprovided on the module. For example, a Load/Fuse alarm is provided on digitaloutput modules. In most cases, the System alarm is asserted, and the System alarmindicators on the Main Chassis Power Modules are lit. The Diagnostic Panel inTriStation identifies the faulting module by displaying a red frame around it. Forinstructions on responding to specific alarm conditions, see the Tricon Planningand Installation Guide.Internal FaultsInternal faults are usually isolated to one of the controller’s three channels (A, B orC). When an internal fault occurs on one of the three channels, the remaining twohealthy channels maintain full control. Depending on the type of fault, thecontroller either remains in TMR mode or degrades to dual mode for the systemcomponent that is affected by the fault. For more information of on operatingmodes, see “Operating Modes” on page 41.When an internal fault occurs, the controller lights the red Fault indicator on thefaulting module and the System alarm on the Main Chassis Power Modules to alertthe operator to replace the faulting module.Tricon Safety Considerations Guide

Operating Modes 41Operating ModesEach input or output point is considered to operate in Triple Modular Redundant,dual, or single mode.The current mode indicates the number of channelscontrolling a point; in other words, the number of channels controlling the outputor having confidence in the input. System variables summarize the status of inputand output points. For safety reasons, system mode is defined as the mode of thepoint controlled by the fewest number of channels. When a safety-critical point isin dual or single mode, the application may need to shut down the controlledprocess within a pre-determined time.A user can further simplify and customize shutdown logic using special functionblocks provided by Triconex. By considering only faults in safety-critical modules,system availability can be improved. For more information, see Appendix A,“Peer-to-Peer Communication.”While operating in TMR mode, the process is protected each scan from the effectof a single safety-critical system fault. The system can also tolerate multiple faultsand continue to operate correctly unless the combined effects of multiple faultsaffects the same point on multiple channels. If a system fault occurs, the loss ofredundancy causes an increased probability-of-failure-on-demand. To keep thePFD within industry-acceptable guidelines, adherence with the recommendedmaximum operating period of 1500 hours in dual mode and 72 hours (SIL3/AK5)or 1 hour (SIL3/AK6) in single mode should be observed.A safety-critical fault is defined as a fault that can affect the ability of the systemto correctly control outputs, including:• Inability to detect a change of state on a digital input point.• Inability to detect a change of value on an analog input point.• Inability to change the state of a digital output point.• Inability of the system to:– Read each input point– Vote the correct value of each input– Execute the control program– Determine the state of each output point correctlyChapter 3Fault Management

42 Operating ModesAlso, during each execution of the control program, each channel independentlyverifies the:• Integrity of the data path between the MPs• Proper voting of all input values• Proper evaluation of the control program• Calculated value of each output pointTricon Safety Considerations Guide

Module Diagnostics 43Module DiagnosticsEach system component detects and reports operational faults.Digital Input ModulesDigital Input Module points typically use a combination of comparison and forceto-valuediagnostics (FVD). Under system control, each channel is independentlycompared against the measured value of all channels. If a mismatch is found, analarm is set. Using the integral FVD capability, each point can be independentlyverified for its ability to accurately detect a transition to the opposite state. Achannel that has detected a fault on a digital input point votes that point to be deenergized.These diagnostics are executed independently by each channel, thusassuring nearly 100% fault coverage and fail-safe operation under all single-fault,and most common, multiple-fault scenarios.Digital Input Module AlarmsDigital Input Module faults are reported to the control program, and these alarmscan be used to increase availability during specific multiple fault conditions. Lossof logic power is reported to the control program.Digital Output ModulesDigital Output Modules use output voter diagnostics (OVD). Under systemcontrol, each output point is commanded sequentially to both the energized and deenergizedstates and the forced state is maintained until the value is detected by thesystem or a time-out occurs (500 microseconds, typical; 2 milliseconds, worstcase). Using the integral OVD capability, each point can be independently verifiedfor its ability to a transition to either state. The OVD is executed in TMR mode,thus assuring nearly 100% fault coverage and fail-safe operation under all singlefaultscenarios.Digital Output Module AlarmsDigital Output Module faults are reported to the control program and can be usedto increase availability during specific multiple fault conditions. Loss of fieldpower or logic power is reported to the control program.The inability of a Digital Output Module to control an output point is reported tothe control program as a Load/Fuse alarm. This condition can result from a loss ofChapter 3Fault Management

44 Module Diagnosticsfield power or a field short condition. The alarm can be used to modify the controlstrategy or direct effective maintenance action.Analog Input ModulesAnalog Input Module points use a combination of comparison and referencediagnostics. Under system control, each channel is independently comparedagainst the measured value of all channels. If a mismatch if found, an alarm is set.Each channel’s measured values are also compared its against internal references.A channel that has detected a fault on an analog input point votes that point to bezero. Using these diagnostics, each channel can be verified independently, thusassuring near 100% fault coverage and fail-safe operation under all single-fault,and most common, multiple-fault scenarios.Analog Input Module AlarmsAnalog Input Module faults are reported to the control program. These alarms canbe used to increase availability during specific multiple fault conditions. Loss oflogic power is reported to the control program.Analog Output ModulesAnalog Output Modules use a combination of comparison and referencediagnostics. Under system control, each channel is given control of the outputsequentially using the 2oo3 voting mechanism. Each channel independentlymeasures the actual state of an output value by comparing it with the commandedvalue. If the values do not match, a channel switch is forced by voting anotherchannel. Each channel also compares its measured values against internalreferences. Using these diagnostics, each channel can be independently verified forits ability to control the analog output value, thus assuring nearly 100% faultcoverage and fail-safe operation under all single-fault, and most common,multiple-fault scenarios.Analog Output Module Field AlarmsAnalog Output Module faults are reported to the control program. These alarmscan be used to increase availability during specific multiple-fault conditions. Lossof field power or logic power is reported to the control program.Tricon Safety Considerations Guide

Module Diagnostics 45Relay Output ModulesRelay Output Module points are not intended for safety-critical applications. Thediagnostics used by the relay output points cannot detect faults in the relaycontacts.Relay Output Module AlarmsDetectable Relay Output Module faults are reported to the control program.Input/Output ProcessingEach processor on an I/O module is protected by an independent watchdog thatverifies the timely execution of the I/O module firmware and diagnostics. If an I/Oprocessor fails to execute correctly, the I/O processor enters the fail-safe state. TheI/O bus transceiver and all outputs for the faulting channel are disabled, leaving alloutputs under control of the remaining healthy channels.The integrity of the I/O bus is continuously monitored and verified independentlyby each channel of the system. A catastrophic bus fault results in affected I/Omodule channels reverting to the fail-safe state in less than 50 milliseconds, worstcase.• Each digital input point is reported to the control program as de-energized.• Each analog input point is reported to the control program as zero.• Each digital output point goes to the de-energized state.• Each analog output point goes to 0.0 mA.• Each relay output point goes to the normally open (NO) position.I/O Module AlarmsLoss of communication with an I/O module is reported to the control program andcan be used to increase availability during specific multiple-fault conditions.Chapter 3Fault Management

46 Module DiagnosticsMain Processor and TriBusEach Main Processor (MP) Module uses memory data comparison between itselfand the other MPs to ensure that the control program executes correctly on eachscan. Each MP transfers its input point data to the other two MPs via the TriBusduring each scan. Each MP then votes the input data and provides voted data to thecontrol program. The results of the control program (outputs), including all internalvariables, are transferred by the TriBus. If a mis-compare is detected, specialalgorithms are used to isolate the faulting MP. The faulting MP enters the fail-safestate and is ignored by the remaining MPs. Background diagnostics test MPmemory and compare control program instructions and internal status.The integrity of the TriBus is continuously monitored and verified independentlyby each MP. All TriBus faults are detected within the scan associated with theTriBus transfer. Fault isolation hardware and firmware causes the MP with thefaulting TriBus to enter the fail-safe state.An independent watchdog ensures that the control program and diagnosticsexecute within 500 milliseconds seconds (the watchdog period). If an MP fails toexecute the scan, the watchdog forces the MP to the fail-safe state. The I/Oprocessor adds a sequential element to the MP watchdog. If an MP fails to reportthe proper sequence of execution, the I/O processor causes the MP to enter the failsafestate.External CommunicationLoss of external communication is not indicated by a system alarm. However,alarms can be generated by using:• Semaphore flags• System attributes! CAUTIONExternal communications are intended for transporting non-safety-critical data.The guidelines outlined in section “Using Serial Communication” on page 32should be followed in SIS applications.Semaphore FlagsEstablish a semaphore between a controller and an external device by using a timerfunction block to evaluate the changing state of semaphore flags.Tricon Safety Considerations Guide

Module Diagnostics 47System AttributesSystem attributes can be used to generate an alarm when a communication link islost.For more information about communication alarms, see the TriStation 1131Developer’s Guide for Tricon Systems. See also the following relevant manuals:• Advanced Communication Module User's Guide• Enhanced Intelligent Communication Modules User's Manual• Hiway Interface Module User's Guide• Network Communication Module User's Guide• Safety Manager Module User's Guide• Tricon DDE Server User's Guide• Tricon System Access Application Programmer's Reference• Tricon System Aliases Reference Manual• Tricon Planning & Installation Guide• TriStation 1131 Triconex LibrariesChapter 3Fault Management

48 Module DiagnosticsTricon Safety Considerations Guide

CHAPTER 4Application DevelopmentThis chapter discusses methods for developing applications to avoid applicationfaults.Topics include:“Development Guidelines” . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50“Important TriStation Commands” . . . . . . . . . . . . . . . . . . . . . . . . . . 51“Setting Scan Time” . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53“Sample Safety-Shutdown Programs” . . . . . . . . . . . . . . . . . . . . . . . 55“Alarm Usage” . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68Tricon Safety Considerations Guide

50 Development GuidelinesDevelopment GuidelinesTriStation Install CheckWhile developing an application, you should:• Use a dedicated PC that is not connected to a network.• Use a good virus checker.• Verify proper installation of TriStation 1131 using TriStation Install Check.You should run the TriStation Install Check program to verify that TriStation iscorrectly installed on your PC and that no associated files are corrupted. This isespecially helpful if applications besides TriStation 1131 reside on your PC. Formore information on the TriStation Install Check program, see the TriStation 1131Developer's Guide.Tricon Safety Considerations Guide

Important TriStation Commands 51Important TriStation CommandsDownload ChangeSeveral commands in TriStation 1131 Developer’s Workbench are of specialinterest when developing a safety application:• Download Change• Upload and Verify• Compare to Last DownloadThe Download Change command is a convenient means of making simplemodifications to an off-line system during application development.! WARNINGDownload Change is intended for off-line use during application development. Ifyou use Download Change to modify a safety-critical application that is runningon-line, you must exercise extreme caution because an error in the modifiedapplication or system configuration may cause a trip or unpredictable behavior.If you must make on-line changes to a controller, you should always follow theguidelines provided in TriStation 1131 Developer's Guide and fully understand therisks you are taking by using the Download Change command.Before a Download Change, use the Diagnostic Panel to verify that Scan Surplusis sufficient for the application and changes being made. As a rule, the value forScan Surplus should be at least 10% of Scan Time to accommodate newly addedelements. For more information on scan time, see “Setting Scan Time” on page 53.! CAUTIONDo not attempt a Download Change if you have a negative Scan Surplus. First,adjust Scan Time to make the surplus value greater than or equal to zero.For more information on the Download Change command, see the TriStation 1131Developer's Guide.Chapter 4Application Development

52 Important TriStation CommandsUpload and VerifyBefore you make changes to a project in TriStation, you should run the Upload andVerify command to verify that the project in TriStation matches the project runningin the controller. (The Upload and Verify command is on the Commands menu onthe Control Panel in TriStation.) This command compares the current projectrunning in the controller to a record of the last downloaded project. To use theUpload and Verify command, you must be able to connect your application to thecontroller using the Connect command on the Control panel in TriStation.For more information on the Upload and Verify command, see the TriStation 1131Developer's Guide.Compare to Last DownloadAfter you have run the Upload and Verify command, make the desired changes tothe project. Use the Compare to Last Download command to verify that thechanges to the project are only the intended changes. (The Compare to LastDownload command is on the Commands menu of the Configuration editor inTriStation.) To test the changes, use the Emulator Control Panel in TriStation.Tricon Safety Considerations Guide

Setting Scan Time 53Setting Scan TimeSetting appropriate scan time for the project is essential to avoid impropercontroller behavior. When changing a project running in an on-line system, specialprecautions should be exercised to avoid scan time overruns, which could result inunexpected controller behavior.Scan TimeScan time is the interval required for evaluations (in other words, scans) of anapplication as it executes in the controller. The time it actually takes to do anevaluation may be less than the requested scan time. To prevent scan-timeoverruns, a scan time must be set that includes sufficient time for all executableelements in an application—including print statements, conditional statements,and future download changes.Use the Scan Time parameter in the TriStation Configuration editor to suggest thedesired scan time before downloading an application. Upon downloading, thecontroller determines the minimum and maximum allowable scan times for yourapplication and uses your suggested scan time if it falls within the acceptablelimits. The default scan time is 200 milliseconds. The maximum allowable scantime is 500 milliseconds and the minimum allowable scan time is 25 milliseconds.Requested Scan Time is a system parameter that is set using the Configurationeditor.Actual scan time is the actual time of the last scan. Actual scan time is always equalto or greater than the requested scan time.Scan SurplusScan surplus is the scan time remaining after application elements have beenexecuted. Scan Surplus must be positive—if it is negative, the Scan Timeparameter must be adjusted using the Set Scan Time command on the ControlPanel to set the surplus value to greater than or equal to zero. The Scan Timeparameter in the TriStation Configuration editor applies only when you do aDownload All.Chapter 4Application Development

54 Setting Scan TimeScan OverrunsIf Scan Surplus becomes negative and a scan overrun occurs, the relevant statusattributes are set as follows:• SCAN_OVERRUNS is incremented once for each time that a longer scantime is needed.• SURPLUS_SCAN is set to a negative number to indicate the additionaltime period used by a scan overrun.SCAN_STATUSTR_SCAN_STATUS1 C1001COPOWERUPFIRSTSCANSCANREQUESTSCANSURPLUSSCANDELTADELTATSCANOVERRUNKEYSWITCHSCAN_SURPLUSSCAN_OVERRUNSFor more information, see the TriStation 1131 Developer's Guide and the TriconexLibraries Manual.Tricon Safety Considerations Guide

Sample Safety-Shutdown Programs 55Sample Safety-Shutdown ProgramsThe following section describes sample programs and methods for implementingsafety-shutdown networks.All I/O Modules Safety-CriticalThe sample program, PROGRAM EX01_SHUTDOWN, shows one way to verifythat the safety system is operating properly when every module in the safety systemis safety-critical. The example uses an instance of the Triconex Library functionblock TR_SHUTDOWN named CRITICAL_MODULES. (The sample program isan element of project ExTUV.pt2 found on the TriStation CD. The default locationof the project is C:\Program Files\Triconex\TS1131\_Tricon\Examples.)When the output CRITICAL_MODULES_OPERATING is true, all safety-criticalmodules are operating properly. The input MAX_TIME_DUAL specifies themaximum time allowed with two channels operating (with no connection defaultsto 40000 days). The input MAX_TIME_SINGLE specifies the maximum timeallowed with one channel operating (3 days in the example).Note In typical applications, continued operation in dual mode is restricted to1500 hours (two months).Continued operation in single mode is restricted to 72 hours for SIL/AK5 and onehour for SIL/AK6 guidelines.When CRITICAL_MODULES_OPERATING is false, the time in degradedoperation exceeds the specified limits; therefore, the control program should shutdown the process under safety control.! CAUTIONThe sample program called EX01_SHUTDOWN does not handle detected fieldfaults, rare combinations of faults detected as field faults, or output voter faultshidden by field faults. The application program, not the TR_SHUTDOWNfunction block, must read the NO_FLD_FLTS module status or FLD_OK pointstatus to provide the required application-specific action.For information on improving availability using external, power-disconnect relaysand advanced programming techniques, see the sample program calledEX02_SHUTDOWN.Chapter 4Application Development

56 Sample Safety-Shutdown ProgramsProgram EX01_SHUTDOWNCRITICAL_MODULESTR_SHUTDOWNCIIO_COCOOPERATIINGCRITICAL_MODULES_OPERATINGIO_TMRTMRIO_GE_DUALDUALIO_GE_SINGLESINGLIO_NO_VOTER_FLTSZEROT#1500hT#3dT#400msIO_ERRORMAX_TIME_DUALMAX_TIME_SINGLEMAX_SCAN_TIMETIMER_RUNNINGTIME_LEFTALARM_PROGRAMMING_PERMITTEDALARM_REMOTE_ACCESSALARM_RESPONSE_TIMEALARM_DISABLED_POINTSERRORALARM_PROGRAMMING_PERMITTEDALARM_REMOTE_ACCESSALARM_RESPONSE_TIMEALARM_DISABLED_POINTS001CO false indicates a programming error; for example, MAX_TIME_SINGLEgreater than MAX_TIME_DUAL. The error number shows more detail.Tricon Safety Considerations Guide

Sample Safety-Shutdown Programs 57Input ParametersThe table below describes the input parameters for the TR_SHUTDOWN function block.ParameterCIIO_COIO_TMRIO_GE_DUALIO_GE_SINGLEIO_NO_VOTER_FLTSIO_ERRORMAX_TIME_DUALMAX_TIME_SINGLEMAX_SCAN_TIMEDescriptionDo not connect when all I/O modules are system-criticalDo not connect when all I/O modules are system-criticalDo not connect when all I/O modules are system-criticalDo not connect when all I/O modules are system-criticalDo not connect when all I/O modules are system-criticalDo not connect when all I/O modules are system-criticalDo not connect when all I/O modules are system-criticalMaximum time with only two channels operatingMaximum time with only one channel operating50% of the maximum response timeChapter 4Application Development

58 Sample Safety-Shutdown ProgramsOutput ParametersThe table below describes the output parameters for the TR_SHUTDOWN function block.ParameterCOOPERATINGDescriptionControl outWhen OPERATING is true, all safety-critical modules areoperating properlyWhen OPERATING is false, the time in degraded operationexceeds the specified limits; therefore, the control programshould shut down the processTMRDUALSINGLZEROTIMER_RUNNINGTIME_LEFTALARM_PROGRAMMING_PERMITTEDALARM_REMOTE_ACCESSALARM_RESPONSE_TIMEALARM_DISABLED_POINTSERROR_NUMSystem is operating in triple modular redundant modeAt least one safety-critical point is controlled by two channelsAt least one safety-critical point is controlled by one channelAt least one safety-critical point is not controlled by anychannelTime left to shutdown is decreasingTime remaining before shutdownTrue if application changes are permittedTrue if remote-host writes are enabledTrue if actual scan time is greater than MAX_SCAN_TIMETrue if one or more points are disabled.Error Number:0 = No error1 = Error in maximum time2 = I/O function block error—IO_ERROR is non-zero3 = Function block error—system status or MP StatusTricon Safety Considerations Guide

Sample Safety-Shutdown Programs 59Alarm Output OperationThe table below describes how the alarm output parameters operate.ParameterALARM_PROGRAMMING_PERMITTEDALARM_REMOTE_ACCESSALARM_RESPONSE_TIMEALARM_DISABLED_POINTSDescriptionTo remind the operator to lock out programming changesafter a download change, or for applications in whichdownload changes are not allowed, connect theALARM_PROGRAMMING_PERMITTED Output to analarmFor applications in which remote changes are not allowed,connect the ALARM_REMOTE_ACCESS Output to analarmTotal response time depends primarily on the actual scantime. To meet the required response time of the process, setthe MAX_SCAN_TIME Input to less than 50% of therequired response time. When the actual scan time exceedsthe MAX_SCAN_TIME value, theALARM_RESPONSE_TIME output becomes trueA project should not contain disabled points unless there is aspecific reason for disabling them, such as initial testing ormaintenance. To remind an operator that some points aredisabled, connect the ALARM_DISABLED_POINTS outputto an alarmChapter 4Application Development

60 Sample Safety-Shutdown ProgramsSome I/O Modules Safety-CriticalFor some applications, not all modules may be critical to a process. For example,an output module that interfaces to the status indicators on a local panel is usuallynot critical to a process.The EX02_SHUTDOWN sample program shows how to increase systemavailability by detecting the status of safety-critical modules.The user-definedfunction block CRITICAL_IO checks the safety-critical I/O modules. TheCRITICAL_IO Outputs are connected to the inputs of the CRITICAL_MODULESfunction block. (The sample program is an element of project ExTUV.pt2 found onthe TriStation CD. The default location of the project is C:\ProgramFiles\Triconex\TS1131\_Tricon\Examples.)When the output CRITICAL_MODULES_OPERATING is true, all criticalmodules are operating properly. The input MAX_TIME_DUAL specifies themaximum time allowed with two channels operating (with no connection defaultsto 40000 days). The input MAX_TIME_SINGLE Specifies the maximum timeallowed with one channel operating (3 days in the example).Note In typical applications, continued operation in dual mode is restricted to1500 hours (two months).Continued operation in single mode is restricted to 72 hours for SIL/AK5 and onehour for SIL/AK6 guidelines.When CRITICAL_MODULES_OPERATING is false, the time in degradedoperation exceeds the specified limits; therefore, the control program should shutdown the plant.! CAUTIONThe EX02_SHUTDOWN sample program does not handle detected field faults,rare combinations of faults detected as field faults, or output voter faults hidden byfield faults. The application program, not the TR_SHUTDOWN function block,must read the NO_FLD_FLTS module status or FLD_OK point status to providethe required application-specific action.Tricon Safety Considerations Guide

Sample Safety-Shutdown Programs 61Program EX02_SHUTDOWNCRITICAL_IOEX02_CRITICAL_IOCIRELAY1_OK001COTMRGE_DUALGE_SINGLENO_VOTER_FLTSERRORT#1500hT#3dT#400msCRITICAL_MODULESTR_SHUTDOWNCICOIO_COOPERATIINGIO_TMRTMRIO_GE_DUALDUALIO_GE_SINGLESINGLIO_NO_VOTER_FLTSZEROIO_ERRORTIMER_RUNNINGMAX_TIME_DUALTIME_LEFTMAX_TIME_SINGLE ALARM_PROGRAMMING_PERMITTEDMAX_SCAN_TIMEALARM_REMOTE_ACCESSALARM_RESPONSE_TIMEALARM_DISABLED_POINTSERROR002CRITICAL_MODULES_OPERATINGALARM_PROGRAMMING_PERMITTEDALARM_REMOTE_ACCESSALARM_RESPONSE_TIMEALARM_DISABLED_POINTSChapter 4Application Development

62 Sample Safety-Shutdown ProgramsInput ParametersThe table below describes the input parameters for the TR_SHUTDOWN function block.ParameterCIIO_COIO_TMRIO_GE_DUALIO_GE_SINGLEIO_NO_VOTER_FLTSIO_ERRORMAX_TIME_DUALMAX_TIME_SINGLEMAX_SCAN_TIMEDescriptionControl inIf CI is false, then CO is false—no change in the output valueIf CI is true and ERROR_NUM is 0, then CO is trueCritical I/O control outAll critical I/O points are operating in triple modular redundant modeAll critical I/O points are operating are operating in dual or TMR modeAll critical I/O points are operating are operating in single, dual, or TMR modeIf true, then no voter faults exist on a critical I/O moduleIf false, then a voter fault exists on a critical I/O moduleError number—zero indicates no error. Non-zero indicates a programming orconfiguration errorMaximum time with only two channels operatingMaximum time with only one channel operating50% of the maximum response timeTricon Safety Considerations Guide

Sample Safety-Shutdown Programs 63Output ParametersThe table below describes the output parameters for the TR_SHUTDOWN function block.ParameterCOOPERATINGTMRDUALSINGLZEROTIMER_RUNNINGTIME_LEFTALARM_PROGRAMMING_PERMITTEDALARM_REMOTE_ACCESSALARM_RESPONSE_TIMEALARM_DISABLED_POINTSERROR_NUMDescriptionControl outWhen OPERATING is true, all safety-critical modules areoperating properlyWhen OPERATING is false, the time in degraded operationexceeds the specified limits; therefore, the control programshould shut down the processSystem is operating in triple modular redundant modeAt least one safety-critical point is controlled by two channelsAt least one safety-critical point is controlled by one channelAt least one safety-critical point is not controlled by anychannelTime left to shutdown is decreasingTime remaining before shutdownTrue if application changes are permittedTrue if remote-host writes are enabledTrue if actual scan time is greater than MAX_SCAN_TIMETrue if one or more points are disabledError Number:0 = No error1 = Error in maximum time2 = I/O function block error—IO_ERROR is non-zero3 = Function block error—system status or MP StatusChapter 4Application Development

64 Sample Safety-Shutdown ProgramsAlarm Output OperationThe table below describes how the alarm output parameters operate.ParameterALARM_PROGRAMMING_PERMITTEDALARM_REMOTE_ACCESSALARM_RESPONSE_TIMEALARM_DISABLED_POINTSDescriptionTo remind the operator to lock out programming changesafter a download change, or for applications in whichdownload changes are not allowed, connect theALARM_PROGRAMMING_PERMITTED output to analarmFor applications in which remote changes are not allowed,connect the ALARM_REMOTE_ACCESS output to an alarmTotal response time depends primarily on the actual scantime. To meet the required response time of the process, setthe MAX_SCAN_TIME input to less than 50% of therequired response time. When the actual scan time exceedsthe MAX_SCAN_TIME value, theALARM_RESPONSE_TIME output becomes trueA project should not contain disabled points unless there is aspecific reason for disabling them, such as initial testing ormaintenance. To remind an operator that some points aredisabled, connect the ALARM_DISABLED_POINTS outputto an alarmTricon Safety Considerations Guide

Sample Safety-Shutdown Programs 65Defining Function Blocks▼To create a user-defined function block for a safety-critical module:1 Copy the example EX02_CRITICAL_IO in the ExTUV.pt2 sample projectprovided with the TriStation 1131 Developer’s Workbench.2 Edit the lines following the comment “Include all safety-critical I/O moduleshere.”Each line calls the safety-critical I/O (SCIO) function block for one safetycriticalI/O module.Example**************************************************************)(* Include here all safety-critical I/O modules: *)SCIO( CHASSIS:=1,SLOT:=1,APP:=DE_ENERGIZED,RELAY_OK:=FALSE ): (*DI*)SCIO( CHASSIS:=1,SLOT:=2,APP:=RELAY, RELAY_OK:=RELAY1_OK ); (*DO*)SCIO( CHASSIS:=1,SLOT:=3,APP:=RELAY, RELAY_OK:=RELAY1_OK ); (*DO*)(* ( CHASSIS:=1,SLOT:=4,NOT CRITICAL) *) (*RO*)(3 (Enter the correct CHASSIS number, SLOT number, APP (application), andRELAY_OK parameters for the safety-critical I/O module.Application Type(App)RELAY(de-energized to tripwith relay)RELAY(de-energized to tripwith relay)DE-ENERGIZED(de-energized to tripwith no relay)Relay_OKParameterTrueFalse—DescriptionA voter fault degrades the mode to dual. Therelay provides a third channel for shutdownso that if an output voter fails, there remaintwo independent channels (the relay andother output voter channel) that can deenergizethe output.A voter fault degrades the mode to single. Anon-voter fault degrades the mode to dual.Chapter 4Application Development

66 Sample Safety-Shutdown ProgramsPartitioned ProcessesYou can achieve greater system availability if you can allocate modules toprocesses that do not affect each other. For example, you could have two processeswith:• Outputs for one process on one DO module• Outputs for another process on a second DO module• Inputs from a shared DI module▼To partition processes:1 Partition the safety-critical I/O modules into three function blocks:• SHARED_IO for the shared safety-critical I/O modules.• PROCESS_1_IO for safety-critical I/O modules that do not affect process 2.• PROCESS_2_IO for safety-critical I/O modules that do not affect process 1.2 Connect the function blocks as shown in the EX03_SHUTDOWN example onpage 67.! CAUTIONThe EX03_SHUTDOWN sample program does not handle detected field faults,rare combinations of faults detected as field faults, or output voter faults hidden byfield faults. The application program, not the TR_SHUTDOWN function block,must read the NO_FLD_FLTS module status or FLD_OK point status to providethe required application-specific action.Tricon Safety Considerations Guide

Sample Safety-Shutdown Programs 67Program EX03_SHUTDOWNSHAREDSHARED_IOEX03_SHARED_IOCITR_SHUTDOWNCOCICOIO_COOPERATIINGRELAY1_OKTMRIO_TMRTMRGE_DUALIO_GE_DUALDUALGE_SINGLEIO_GE_SINGLESINGLNO_VOTER_FLTSIO_NO_VOTER_FLTSZERO001ERRORIO_ERRORTIMER_RUNNINGT#1500hMAX_TIME_DUALTIME_LEFTT#3dT#400msMAX_TIME_SINGLEMAX_SCAN_TIMEALARM_PROGRAMMING_PERMITTEDALARM_REMOTE_ACCESSALARM_PROGRAMMING_PERMITTEDALARM_REMOTE_ACCESSALARM_RESPONSE_TIMEALARM_RESPONSE_TIMEALARM_DISABLED_POINTSALARM_DISABLED_POINTSERROR002PROCESS_1PROCESS_1_IOEX03_PROCESS_1_IOCICORELAY1_OKTMRGE_DUALGE_SINGLENO_VOTER_FLTS003ERRORT#1500hT#3dT#400msTR_SHUTDOWNCICOIO_COOPERATIINGIO_TMRTMRIO_GE_DUALDUALIO_GE_SINGLESINGLIO_NO_VOTER_FLTSZEROIO_ERRORTIMER_RUNNINGMAX_TIME_DUALTIME_LEFTMAX_TIME_SINGLE ALARM_PROGRAMMING_PERMITTEDMAX_SCAN_TIMEALARM_REMOTE_ACCESSALARM_RESPONSE_TIMEALARM_DISABLED_POINTSAND005PROCESS_1_OPERATINGIf PROCESS_1_OPERATING= FALSE, shut down process1 because the time indegraded mode exceeds thespecified limit for safetycriticalmodules that affectprocess 1.004ERRORPROCESS_2_IOEX03_PROCESS_2_IOCICORELAY1_OKTMRGE_DUALGE_SINGLENO_VOTER_FLTS005ERRORT#1500hT#3dT#400msPROCESS_2TR_SHUTDOWNCICOIO_COOPERATIINGIO_TMRTMRIO_GE_DUALDUALIO_GE_SINGLESINGLIO_NO_VOTER_FLTSZEROIO_ERRORTIMER_RUNNINGMAX_TIME_DUALTIME_LEFTMAX_TIME_SINGLE ALARM_PROGRAMMING_PERMITTEDMAX_SCAN_TIMEALARM_REMOTE_ACCESSALARM_RESPONSE_TIMEALARM_DISABLED_POINTSAND006PROCESS_2_OPERATINGIf PROCESS_2_OPERATING= FALSE, shut down process2 because the time indegraded mode exceeds thespecified limit for safetycriticalmodules that affectprocess 2.006ERRORChapter 4Application Development

68 Alarm UsageAlarm UsageTo implement the guidelines, the alarms described below are provided withTriStation 1131 Developer’s Workbench.Programming Permitted AlarmTo remind the operator to lock out programming changes after a download change,or for applications in which download changes are prohibited, connect theALARM_KEYINPROGRAM output to an alarm.Remote Access AlarmIn applications for which remote changes are not allowed, connect theALARM_KEYINREMOTE output to an alarm.Response Time and Scan TimeResponse time refers to the maximum time allocated for the controller to detect achange on an input point and to change the state of an output point. Response timeis primarily determined by scan time (the rate at which the program is run), but isalso affected by process time (how fast the process can react to a change). Theresponse time of the controller must be equal to or faster than the process time. Thescan time must be at least two times faster than the response time. To meet therequired response time of the process, set the MAX_SCAN_TIME input to lessthan 50% of the required response time. When the actual scan time as measured bythe firmware exceeds the MAX_SCAN_TIME value, theALARM_RESPONSE_TIME output becomes true.Disabled Points AlarmA project should not contain disabled points unless there is a specific reason fordisabling them, such as initial testing. An alarm is available to alert the operationthat a point is disabled.Tricon Safety Considerations Guide

APPENDIX APeer-to-Peer CommunicationThis appendix provides information about data transfer time, and examples ofPeer-to-Peer applications.Topics include:“Data Transfer Time” . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70“Examples of Peer-to-Peer Applications” . . . . . . . . . . . . . . . . . . . . . 72Tricon Safety Considerations Guide

70 Data Transfer TimeData Transfer TimeThe Peer-to-Peer function blocks require multiple scans to transfer data from thesending node to the receiving node. The time it takes to transfer data depends onthe following parameters of the sending and receiving nodes:• Scan time• Configuration size• Amount of aliased data• Number of TR_USEND function blocks, TR_URCV function blocks, printfunction blocks, and Modbus master function blocks• Number of nodes on the peer-to-peer networkTo estimate the data transfer time, first calculate the number of bytes for aliasedvariables according to the instructions that follow.▼To calculate the number of bytes for aliased variables:1 On the Tricon menu, select Edit Configuration. This will display theconfiguration tree.2 Click Memory Allocation under Tricon System Configuration on theconfiguration tree.This will display the Memory Allocation dialog box to the right of theconfiguration tree. The display gives the allocation for Unaliased, Read Aliased,and Read/Write Aliased Memory points, and if you scroll down you can see theallocation for Input points and Output points. For each data type (BOOLs,DINTs, and REALs), you can see the Maximum, Allocated, Forecast, andCurrent number of variables. The number you need is Allocated.3 Total the number of allocated “Aliased” BOOLs, DINTs and REALs.4 The number of bytes for aliased variables is 376 + BOOLs/8 + DINTs*4 +REALs*4.The basic formula for estimating the data transfer time is as follows:Data transfer time in milliseconds =2 * (larger of TS or SS) + 2 * (larger of TR or SR)Tricon Safety Considerations Guide

Data Transfer Time 71ParameterTS =SS =TR =SR =DescriptionTime for sending node to transfer Aliased data over the communicationbus in milliseconds =(Number of aliased variables in bytes ÷ 20000) * 1000Scan time of sending node in millisecondsTime for receiving node to transfer Aliased data over thecommunication bus in milliseconds =(Number of aliased variables in bytes ÷ 20000) * 1000Scan time of receiving node in millisecondsAs a general rule, the data transfer time is 1 second to 2 seconds. So when you usePeer-to-Peer function blocks to transfer safety-critical data, you must set themaximum time-out limit to at least 2 seconds. This means that the processtolerancetime of the receiving node must be greater than 4 seconds.See “Using TR_USEND/TR_URCV Function Blocks for Safety-Critical Data” onpage 73 for an example that shows how to measure the maximum data transfer timeand use TR_USEND/TR_URCV function blocks to transfer-safety critical data.You should measure the actual maximum time it takes to transfer data while testingyour system to ensure the validity of your calculations and the general rules givenhere.As the table shows, it takes from 2 to 30 seconds to detect and report time-out andcommunication errors. This is why a receiving node that uses the received data tomake safety-critical decisions must include logic to check that new data is receivedwithin the specified time period. If the data is not received within the specifiedprocess-tolerance time, then the application must take appropriate actionsdepending on requirements.Refer to “Using TR_USEND/TR_URCV Function Blocks for Safety-CriticalData” on page 73 for an example that shows how to use TR_USEND andTR_URCV function blocks for transferring safety critical data.Appendix APeer-to-Peer Communication

72 Examples of Peer-to-Peer ApplicationsExamples of Peer-to-Peer ApplicationsPeer-to-Peer function blocks are designed to transfer limited amounts of databetween two applications. Therefore you should use these function blockssparingly in your applications. Ideally, you should control the execution of eachTR_USEND function block in such a way that each TR_USEND is initiated onlywhen the acknowledgment for the last TR_USEND is received and new data isavailable for sending. You can do this through effective use of the SENDFLGparameter in the TR_USEND function block and the STATUS output of theTR_USEND function block, as shown in Examples 2 and 3.The examples described below can be found in the Expeer.pt2 project on theTriStation CD.Fast Send to One Triconex NodeThis is a simple example of sending data as fast as possible from Node #2 to Node#3. Scan time in both controllers is set to 100 milliseconds.The example uses the following project elements:• PEER_EX1_SEND_FBD (for sending Node #2)• PEER_EX1_RCV_FBD (for receiving Node #3)Sending Data Every Second to One NodeThis is a simple example of sending data every second from Node #2 to Node #3.Scan time in both controllers is set to 100 milliseconds.The example uses the following project elements:• PEER_EX2_SEND_FBD (for sending Node #2)• PEER_EX2_RCV_FBD (for receiving Node #3)Tricon Safety Considerations Guide

Examples of Peer-to-Peer Applications 73Controlled Use of TR_USEND/TR_URCV Function BlocksThe networks in this example show how to use TR_USEND/TR_URCV functionblocks correctly, in a controlled way, so that a limited amount of important data canbe transferred between two applications when new data is ready to be sent.This example uses the following project elements:• PEER_EX3_SEND_FBD (for sending Node #2)• PEER_EX3_RCV_FBD (for receiving Node #3)Using TR_USEND/TR_URCV Function Blocks for Safety-Critical DataThis example shows how to use TR_USEND/TR_URCV function blocks fortransferring a limited amount of safety-critical data between the two applicationsas fast as possible. It also shows how to measure the actual maximum time fortransferring data from the sending node to the receiving node. Because this issafety-critical data, each controller must have two NCMs and two peer-to-peernetworks connected.Sending Node #1 Parameters:• Scan time (SS) = 150 milliseconds• Number of aliased variables in bytes = 2000• Time to transfer alias data over the communication bus in milliseconds (TS)= (2000/20000) * 1000 = 100 milliseconds• The sending controller has only one TR_USEND function block in theapplication, meeting the requirement to have five or fewer TR_USENDfunction blocks. The sendflag is on in the TR_USEND function block sothat, as soon as the last TR_USEND is acknowledged by the receivingcontroller, the sending controller initiates another TR_USENDReceiving Node #3 Parameters:• Scan time (SR) = 200 milliseconds• Number of aliased variables in bytes = 5000• Time to transfer aliased data over the communication bus in milliseconds(TR) = (5000/20000) * 1000 = 250 milliseconds• Process tolerance time = 4 secondsAppendix APeer-to-Peer Communication

74 Examples of Peer-to-Peer ApplicationsIf the sending controller does not receive acknowledgment from the receivingcontroller in 1 second, then it automatically retries the last TR_USEND message.Assume that once in a while (due to network collisions, communication busloading, etc.) the sending controller has to retry one time to get the message to thereceiving node. This is why the general rule for data transfer time is 1 to 2 seconds,even though the estimated time is 800 milliseconds. The receiving node also has anetwork to measure the actual time so that you can validate the assumed 2-secondmaximum transfer time. Since the process-tolerance time of the receiving node is4 seconds, the maximum time-out limit is set to 2 seconds (half the processtolerance time). The receiving node should get at least one sample of new datawithin the maximum time-out limit. Using this criteria satisfies the basicrequirement for using peer-to-peer to transfer safety critical data.This example packs 32 BOOL values into a DWORD and sends the DWORD anda diagnostic variable to a receiving node as fast as possible by setting the sendflagparameter to 1 all the time. The diagnostic variable is incremented every time a newTR_USEND is initiated. The receiving node checks the diagnostic variable to seethat it has changed from the previous value received. The receiving node alsochecks whether it has received at least one sample of new data within the processtolerancetime. If not, the application takes appropriate action such as using the lastdata received or using default data to make safety-critical decisions.This example uses the following project elements:• PEER_EX4_SEND_FBD (for sending Node #1)• PEER_EX4_RCV_FBD (for receiving Node #3)Tricon Safety Considerations Guide

TR_CRITICAL_IO Function Block 75TR_CRITICAL_IO Function BlockAccumulates Status of Critical I/O ModulesThe TR_CRITICAL_IO function block provides an easy way to accumulate thestatus of all safety-critical I/O modules in a Tricon system.Instructions for UseThe following instructions for using the TR_CRITICAL_IO function block applyto the Structured Text (ST) language.▼To obtain the accumulated status of critical I/O modules:1 Initialize TR_CRITICAL_IO by invoking it once with INIT := TRUE.SCIO( INIT := TRUE );where SCIO is the function block instance name2 To complete initialization, invoke TR_CRITICAL_IO again as follows:SCIO( INIT := FALSE, CI := TRUE, APP:=DE_ENERGIZED, RELAY_OK:=FALSE );where SCIO is the function block instance name3 To get the status of all safety-critical I/O modules, invoke each module byspecifying these input values:• CHASSIS• SLOT• APP• RELAY_OKIf CHASSIS 1 SLOT 1 is a critical DI module, and CHASSIS 1 SLOT 2 is acritical DO module with a relay, then the following example applies. SCIO isthe function block instance name:SCIO(CHASSIS:=1,SLOT:=1,APP:=DE-ENERGIZED,RELAY_OK:=FALSE);SCIO(CHASSIS:=1,SLOT:=2,APP:=RELAY,RELAY_OK:=RELAY1_OK);Appendix APeer-to-Peer Communication

76 TR_CRITICAL_IO Function Block4 Read the output values:– CO– TMR– GE_DUAL– GE_SINGLE– NO_VOTER_FAULTSThe output values are an accumulation of the status of all critical I/O modules.For example, the output called TMR is true if all of the critical modules in thesystem are in TMR mode.InputsParameter Type DescriptionCI BOOL Control In—enablesoperationINIT BOOL InitializeCHASSIS DINT Chassis number (1–15)SLOT DINT Physical slot number mustbe odd (1, 3...15)APP DINT Application number (1–2)RELAY_OK BOOL Relay is energized and notstuckOutputs CO BOOL Critical I/O Control OutTMR BOOL Three channels areoperating without faults onevery critical I/O moduleGE_DUAL BOOL At least two channels areoperating without faults onevery critical I/O moduleGE_SINGLE BOOL At least one channel isoperating without faults onevery critical I/O moduleNO_VOTER_FLTS BOOL No voter faults on criticalI/O modulesTricon Safety Considerations Guide

TR_CRITICAL_IO Function Block 77Parameter Type DescriptionOutputs ERROR DINT Error Number:0 = No error-1 = Slot is not odd or notnumbered 1–15-2 = Invalid chassis or slot-3 = Module not configured-4 = Reserved (not used)-5 = Invalid applicationnumber-6 = Not initializedRuntime Error Code Return Value ConditionEBADPARAMBad parameterNote If there is a programming error, then CO is false and the error number isnon-zero. For more information, see ERROR above.App Relay_OK DescriptionRELAY True A single fault (even a voter fault) degrades themode to dual. The relay provides a third channelfor shutdown so that if an output voter fails,there remain two independent channels (therelay and other output voter channel) that cande-energize the output.RELAY False A voter fault degrades the mode to single. ADE-ENERGIZED —non-voter fault degrades the mode to dual.AttributeApplication TypeProgramming UsageCEM FeatureUsageSafety, ControlN/AN/ALibraryTriconAppendix APeer-to-Peer Communication

78 TR_CRITICAL_IO Function BlockRelated TopicsTR_64_POINT_STATUSTR_CALENDARTR_MP_STATUSTR_PEER_STATUSTR_POINT_STATUSTR_PORT_STATUSTR_PROGRAM_STATUSTR_SCAN_STATUSTR_SHUTDOWNTR_SLOT_STATUSTR_VOTE_MODETricon Safety Considerations Guide

TR_CRITICAL_IO Function Block 79Structured TextFUNCTION_BLOCK TR_CRITICAL_IOVAR_INPUTCI : BOOL := TRUE ; (* Control in. *)INIT : BOOL ; (* Initialize *)CHASSIS : DINT ; (* Chassis number 1-15 *)SLOT : DINT ; (* Physical SLOT odd number 1,3..15 *)APP : DINT ; (* Application number 1-2 *)RELAY_OK : BOOL := TRUE ; (* Relay is energized and not stuck. *)END_VARVAR_OUTPUTCO : BOOL ; (* Critical IO Control out. *)TMR : BOOL := TRUE ; (* Critical IO 3 channels operating. *)GE_DUAL : BOOL ; (* Critical IO 2 or more channels operating. *)GE_SINGLE : BOOL ; (* Critical IO 1 or more channels operating. *)NO_VOTER_FLTS : BOOL ; (* No voter faults on critical modules. *)ERROR : DINT ; (* Error number. *)(** Error number:* 0 = No error.* -1 = Slot is not odd or not in 1..15.* -2 = Chassis or slot is invalid.* -3 = Module not configured.* -4 = Reserved (not used).* -5 = Application number is invalid.* -6 = Not initialized.*)END_VARVARPREVIOUS_INIT : BOOL ; (* INIT on previous evaluation. *)MP : TR_MP_STATUS ; (* MP status. *)LEFT_SLOT : TR_SLOT_STATUS ; (* Left slot status. *)RIGHT_SLOT : TR_SLOT_STATUS ; (* Right slot status. *)RELAY : DINT := 1 ; (* De-energized to trip with relay *)DE_ENERGIZED : DINT := 2 ; (* De-energized to trip with no relay *)U : BOOL ; (* Unused value. *)LEFT_GE_SINGLE : BOOL ; (* Left slot, mode >= single. *)LEFT_GE_DUAL : BOOL ; (* Left slot, mode >= dual. *)LEFT_TMR : BOOL ; (* Left slot, mode = tmr. *)RIGHT_GE_SINGLE : BOOL ; (* Right slot, mode >= single. *)RIGHT_GE_DUAL : BOOL ; (* Right slot, mode >= dual. *)RIGHT_TMR : BOOL ; (* Right slot, mode = tmr. *)VOTER_FAULT : BOOL ; (* Voter fault on either slot. *)END_VAR(**=F===============================================================================* FUNCTION_BLOCK: TR_CRITICAL_IO* Purpose: Calculate status of critical IO modules.** Return: none** Remarks:* Usage* 1. Invoke once with INIT := TRUE, to initialize.* 2. Invoke again with INIT := FALSE, CI := TRUE, APP := DE_ENERGIZED, andAppendix APeer-to-Peer Communication

80 TR_CRITICAL_IO Function Block* RELAY_OK := FALSE to complete initialization.* 3. Invoke repeatedly, once for each critical IO module.* 4. Read outputs CO, TMR, GE_DUAL, and GE_SINGLE for safety critical results.** In step 3, invoke with the CHASSIS and SLOT of the critical IO module,* the module application, and the relay status.* For example, if CHASSIS 1 SLOT 5 is a critical DO module with a relay,* and SCIO is the function block instance name:* SCIO( CHASSIS:=1, SLOT:= 5, APP:=RELAY, RELAY_OK:=RELAY1_OK );** Slot Number* Each logical IO slot consists of two physical slots,* a left slot and a right slot. By convention,* the physical slot number of the left slot is always odd.* The SLOT parameter is the physical slot number of the left slot.** Application* The APP parameter for a module selects the effect of a fault* on the vote mode outputs of the shutdown function blocks.* APP:=RELAY with RELAY_OK:=true* A sinlge fault (even a voter fault) degrades the mode to DUAL.* The relay provides a third channel for shutdown,* so if an output voter fails, there are still* two independent channels that can de-energize the output,* i.e., the relay and the other output voter channel.* APP:=RELAY with RELAY_OK:=false, or* APP:=DE_ENERGIZED* A voter fault degrades the mode to SINGLE.* A non-voter fault degrades the mode to DUAL.** Runtime Errors* EBADPARAM Bad parameter* CO=FALSE indicates a programming error.* See ERROR number parameter for details.*=F===============================================================================*)IF INIT THENMP( CI := TRUE ) ;CO := MP.CO ;TMR := TRUE ;GE_DUAL := TRUE ;GE_SINGLE := TRUE ;NO_VOTER_FLTS := TRUE ;ELSIF PREVIOUS_INIT THEN; (* No operation. *)ELSIF CI AND CO THENIF (DINT_TO_DWORD(SLOT) AND 1) 1 OR SLOT

TR_CRITICAL_IO Function Block 81CO := FALSE ;END_IF ;END_IF ;IF CO THENIF NOT ( LEFT_SLOT.PASS OR LEFT_SLOT.FAILOR LEFT_SLOT.ACTIVE OR LEFT_SLOT.INSTALLEDOR RIGHT_SLOT.PASS OR RIGHT_SLOT.FAILOR RIGHT_SLOT.ACTIVE OR RIGHT_SLOT.INSTALLED ) THENERROR := -3 ; (* Module not configured. *)U := ReportBadParam(0) ;CO := FALSE ;END_IF ;END_IF ;IF CO THENLEFT_GE_SINGLE := LEFT_SLOT.INSTALLED AND LEFT_SLOT.ACTIVE ;LEFT_GE_DUAL := LEFT_GE_SINGLEAND NOT LEFT_SLOT.NOGOOD ;LEFT_TMR := LEFT_GE_DUALAND LEFT_SLOT.PASS AND NOT LEFT_SLOT.FAIL ;RIGHT_GE_SINGLE := RIGHT_SLOT.INSTALLED AND RIGHT_SLOT.ACTIVE ;RIGHT_GE_DUAL := RIGHT_GE_SINGLEAND NOT RIGHT_SLOT.NOGOOD ;RIGHT_TMR := RIGHT_GE_DUALAND RIGHT_SLOT.PASS AND NOT RIGHT_SLOT.FAIL ;VOTER_FAULT := LEFT_SLOT.VOTER_FAULT OR RIGHT_SLOT.VOTER_FAULT ;TMR := TMR AND (LEFT_TMR OR RIGHT_TMR) ;GE_DUAL := GE_DUAL AND (LEFT_GE_DUAL OR RIGHT_GE_DUAL) ;GE_SINGLE := GE_SINGLE AND (LEFT_GE_SINGLE OR RIGHT_GE_SINGLE) ;NO_VOTER_FLTS := NO_VOTER_FLTS AND NOT VOTER_FAULT ;IF APP = RELAY AND RELAY_OK THENTMR := TMR AND NOT VOTER_FAULT ;ELSIF APP = DE_ENERGIZED OR APP = RELAY AND NOT RELAY_OK THENTMR := TMR AND NOT VOTER_FAULT ;GE_DUAL := GE_DUAL AND NOT VOTER_FAULT ;ELSEERROR := -5 ; (* Application number is invalid *)U := ReportBadParam(0) ;CO := FALSE ;END_IF ;END_IF ;END_IF ;IF ERROR = 0 AND NOT CO THENERROR := -6 ; (* Not initialized *)U := ReportBadParam(0) ;END_IF ;IF NOT CO THENTMR := FALSE ;GE_DUAL := FALSE ;GE_SINGLE := FALSE ;NO_VOTER_FLTS := FALSE ;END_IF ;PREVIOUS_INIT := INIT ;END_FUNCTION_BLOCKAppendix APeer-to-Peer Communication

82 TR_SHUTDOWN Function BlockTR_SHUTDOWN Function BlockEnable System ShutdownThe TR_SHUTDOWN function block provides an easy way to enable systemshutdown according to industry guidelines.Parameter Type DescriptionInputs CI BOOL Control In—enablesoperationIf CI=FALSE, thenCO=FALSE—there is nochange in the output valueIf CI=TRUE andERROR_NUM=0, thenCO=TRUEIO_CO BOOL Critical I/O Control Out—True indicates that a userdefinedfunction blockprovides the status forcritical I/O modulesIO_TMR BOOL Three channels areoperating without faults onevery critical I/O moduleIO_GE_DUAL BOOL At least two channels areoperating without faults onevery critical I/O moduleIO_GE_SINGLE BOOL At least one channel isoperating without faults onevery critical I/O moduleIO_NO_VOTER_FLTS BOOL No voter faults exist oncritical I/O modulesIO_ERROR DINT Zero means no error—nonzeromeans there is aprogramming error or aconfiguration errorTricon Safety Considerations Guide

TR_SHUTDOWN Function Block 83Parameter Type DescriptionInputs MAX_TIME_DUAL TIME Maximum time ofcontinuous operation in dualmode (with only twochannels)MAX_TIME_SINGLE TIME Maximum time ofcontinuous operation insingle mode (with only onechannel)MAX_SCAN_TIME TIME 50% of the maximumresponse timeOutputs CO BOOL Control OutOPERATING BOOL Shutdown if FALSETMR BOOL Three channels operatingDUAL BOOL Dual modeSINGL BOOL Single modeZERO BOOL Zero modeTIMER_RUNNING BOOL Shutdown timer is runningTIME_LEFT TIME Time remaining toshutdownALARM_PROGRAMMING_PERMITTEDBOOLTrue if application changesare permittedALARM_REMOTE_ACCESS BOOL True if remote-host writesare enabledALARM_RESPONSE_TIME BOOL True if actual scan time ≥MAX_SCAN_TIMEALARM_DISABLED_POINTS BOOL True if one or more pointsare disabledAppendix APeer-to-Peer Communication

84 TR_SHUTDOWN Function BlockParameter Type DescriptionOutputs ERROR_NUM DINT Error Number:0 = No error1 = Error in maximum time2 = Error in I/O functionblock (IO_ERRORinput is non-zero)3 = Error in status functionblockRuntime Error Code Return Value ConditionEBADPARAMBad parameterNote If there is a programming error, then CO is false and the error number isnon-zero. For more information, see ERROR_NUM.AttributeApplication TypeProgramming UsageCEM FeatureUsageSafety, ControlN/AN/ALibraryTriconTricon Safety Considerations Guide

TR_SHUTDOWN Function Block 85Related TopicsTR_64_POINT_STATUSTR_CALENDARTR_CRITICAL_IOTR_MP_STATUSTR_PEER_STATUSTR_POINT_STATUSTR_PORT_STATUSTR_PROGRAM_STATUSTR_SCAN_STATUSTR_SLOT_STATUSTR_VOTE_MODEAppendix APeer-to-Peer Communication

86 TR_SHUTDOWN Function BlockStructured TextFUNCTION_BLOCK TR_SHUTDOWNVAR_INPUTCI : BOOL := TRUE ; (* Control in. *)IO_CO : BOOL ; (* Critical IO Control out. *)IO_TMR : BOOL ; (* Critical IO 3 channels operating. *)IO_GE_DUAL : BOOL ; (* Critical IO 2 or more channels operating. *)IO_GE_SINGLE : BOOL ; (* Critical IO 1 or more channels operating. *)IO_NO_VOTER_FLTS : BOOL ; (* No voter faults on critical modules. *)IO_ERROR : DINT ; (* Error number, 0 = no error. *)MAX_TIME_DUAL : TIME := T#40000d ; (* Max Time with only 2 channels. *)MAX_TIME_SINGLE : TIME := T#40000d ; (* Max Time with only 1 channel. *)MAX_SCAN_TIME : TIME := T#400ms ; (* 50% of Max Response Time. *)END_VARVAR_OUTPUTCO : BOOL ; (* Control out. *)OPERATING : BOOL ; (* Shutdown if OPERATING=FALSE. *)TMR : BOOL ; (* Three channels operating. *)DUAL : BOOL ; (* Dual mode. *)SINGL : BOOL ; (* Single mode. *)ZERO : BOOL ; (* Zero mode. *)TIMER_RUNNING : BOOL ; (* Shutdown timer is running. *)TIME_LEFT : TIME ; (* Time remaining to shutdown. *)ALARM_PROGRAMMING_PERMITTED : BOOL ; (* Alarm -- download change. *)ALARM_REMOTE_ACCESS : BOOL ; (* Alarm -- remote host writes. *)ALARM_RESPONSE_TIME : BOOL ; (* Alarm -- exceed response time. *)ALARM_DISABLED_POINTS : BOOL ; (* Alarm -- some points disabled. *)ERROR : DINT ; (* Error number. *)(** Error number:* 0 = No error.* 1 = Error in maximum time.* 2 = IO function block error - IO_ERROR is non-zero.* 3 = Status function block error.*)END_VARVARGE_DUAL : BOOL ; (* Two or more channels operating. *)GE_SINGLE : BOOL ; (* One or more channels operating. *)MP : TR_MP_STATUS ; (* MP status. *)PROG : TR_PROGRAM_STATUS ; (* Program status. *)SCAN : TR_SCAN_STATUS ; (* Scan status. *)DUAL_TIME : TON ; (* Dual mode timer. *)SINGLE_TIME : TON ; (* Single mode timer. *)U : BOOL ; (* Unused Value. *)END_VAR(**=F===============================================================================* FUNCTION_BLOCK: TR_SHUTDOWN* Purpose: Implement TUV restrictions.** Return: none** Remarks:*Tricon Safety Considerations Guide

TR_SHUTDOWN Function Block 87* Example EX01_SHUTDOWN shows one way to check that* the safety system is operating within spec when* every module in the safety system is safety critical.* The example uses the Tricon Library function block* TR_SHUTDOWN - one instance named CRITICAL_MODULES.* The output CRITICAL_MODULES.OPERATING indicates* that all safety critical modules are operating* within spec. Input MAX_TIME_DUAL specifies the* maximum time allowed with two channels operating* (for example, 1500 hours).* Input MAX_TIME_SINGLE specifies the maximum time allowed* with only one channel operating (for example, 72 hours).* When CRITICAL_MODULES.OPERATING is FALSE,* the time in degraded operation exceeds the* specified limits -- therefore the control program* should shutdown the plant.** Excluding output voter faults and field faults -- TMR implies* three channels with no detected fatal errors, GE_DUAL implies* at least two channels with no detected fatal errors,* and GE_SINGLE implies at least one channel* with no detected fatal errors -- for every path* from a safety critical input to a safety critical output.* Detected output voter faults reduce TMR or GE_DUAL to GE_SINGLE.* (See example EX02_SHUTDOWN to improve availability* using relays and advanced programming techniques.)** The "TMR" output indicates TMR.* The "DUAL" output indicates GE_DUAL but not TMR.* The "SINGL" output indicates GE_SINGLE but not GE_DUAL.* The "ZERO" output indicates not GE_SINGLE.* The "TIMER_RUNNING" output indicates that* the time left to shutdown is decrementing.* The "TIME_LEFT" output indicates the time remaining before shutdown.** WARNING - the TR_SHUTDOWN function block* does not use detected field faults or* combinations of faults reported as field faults.* It is the responsibility of the application program* to use system variable NoFieldFault or FieldOK* to detect and respond to such faults.** To see how to create a user-defined function block* to improve availability, see the examples* in the help topic for TR_SHUTDOWN.** NOTE -- If IO_CO is false (for example, if you do not provide* a user-defined function block like the one in example EX02_SHUTDOWN),* then losing all three legs of an active IO module results in* a transition to "SINGL", not "ZERO".** Runtime Errors* EBADPARAM Bad parameter* CO=FALSE indicates a programming error.* See ERROR number parameter for details.*=F===============================================================================*)Appendix APeer-to-Peer Communication

88 TR_SHUTDOWN Function BlockIF CI THENMP( CI := TRUE ) ;PROG( CI := TRUE ) ;SCAN( CI := TRUE ) ;ERROR := 0 ;IFMAX_TIME_DUAL < MAX_TIME_SINGLE ORMAX_TIME_DUAL < T#0S ORMAX_TIME_SINGLE < T#0S ORMAX_SCAN_TIME < T#0STHENERROR := 1 ;ELSIF IO_ERROR 0 THENERROR := 2 ;ELSIF NOT (MP.CO AND PROG.CO AND SCAN.CO) THENERROR := 3 ;END_IF ;CO := ERROR = 0 ;(* Get Status *)(* Check for programming errors. *)IF CO THENTMR := NOT MP.MPMAIN AND(NOT IO_CO AND NOT MP.IOMAINOR IO_CO AND IO_TMR);(* Summarize redundancy. *)GE_DUAL := NOT MP.MPBAD AND(NOT IO_CO AND NOT MP.IOBADOR IO_CO AND IO_GE_DUAL);GE_SINGLE :=(NOT IO_COOR IO_CO AND IO_GE_SINGLE);(* Update timers. *)DUAL_TIME( IN := NOT TMR, PT := MAX_TIME_DUAL ) ;SINGLE_TIME( IN := NOT GE_DUAL, PT := MAX_TIME_SINGLE ) ;(* Shutdown if excessive time in degraded operation. *)OPERATING :=GE_SINGLEAND NOT DUAL_TIME.QAND NOT SINGLE_TIME.Q;DUAL := GE_DUAL AND NOT TMR ;SINGL := GE_SINGLE AND NOT GE_DUAL ;ZERO := NOT GE_SINGLE ;(* Output current status. *)Tricon Safety Considerations Guide

TR_SHUTDOWN Function Block 89TIMER_RUNNING := OPERATING AND NOT TMR ;(* Output time remaining to shutdown. *)IF NOT OPERATING THENTIME_LEFT := T#0s ;ELSIF TMR THENTIME_LEFT := T#999999d ;ELSIF GE_DUAL ORMAX_TIME_DUAL-DUAL_TIME.ET MAX_SCAN_TIME ;ALARM_DISABLED_POINTS := PROG.POINTS_DISABLED > 0 ;ELSEU := ReportBadParam(0) ;(* Programming error. *)OPERATING := FALSE ;TMR := FALSE ;GE_DUAL := FALSE ;GE_SINGLE := FALSE ;DUAL := FALSE ;SINGL := FALSE ;ZERO := FALSE ;TIMER_RUNNING := FALSE ;TIME_LEFT := T#0S;ALARM_PROGRAMMING_PERMITTED := TRUE ;ALARM_REMOTE_ACCESS := TRUE ;ALARM_RESPONSE_TIME := TRUE ;ALARM_DISABLED_POINTS := TRUE ;END_IF ;END_IF ;END_FUNCTION_BLOCKAppendix APeer-to-Peer Communication

90 TR_VOTE_MODE Function BlockTR_VOTE_MODE Function BlockConverts Redundancy StatusThe TR_VOTE_MODE function block provides an easy way to convertredundancy status from one voting mode to another, as shown in the followingtruth table.TMR GE_DUAL GE_SINGLE TMR DUAL SINGL ZEROT T T T F F FF T T F T F FF F T F F T FF F F F F F TOther 1F F F F1. If there is an error in the inputs, then CO is false, the mode outputs are false, and the functionblock reports a bad parameter error (EBADPARAM).Note To save memory and reduce scan time when using this function block,create a single instance of the function block in your program and invoke itmultiple times. Do not use the same instance more than once in a network.Parameter Type DescriptionInputs CI BOOL Control In—enables operationIf CI=FALSE, then CO=FALSE—there is nochange in the output valueIf CI=TRUE and ERROR_NUM=0, then CO=TRUEIN_TMR BOOL Three critical I/O channels operatingGE_DUAL BOOL Two or more critical I/O channels operatingGE_SINGLE BOOL One or more critical I/O channels operatingOutputs CO BOOL Control Out—indicates completion of theoperation with no errorsTricon Safety Considerations Guide

TR_VOTE_MODE Function Block 91Parameter Type DescriptionOutput TMR BOOL Three critical I/O channels operatingDUAL BOOL Dual modeSINGL BOOL Single modeZERO BOOL Zero modeRuntime Error Code Return Value ConditionEBADPARAMBad parameterNote If there is a programming error, then CO is false and the mode outputs areset to false.AttributeApplication TypeProgramming UsageCEM FeatureUsageSafety, ControlSpace SaverN/ALibraryTriconRelated TopicsTR_64_POINT_STATUSTR_CALENDARTR_CRITICAL_IOTR_MP_STATUSTR_PEER_STATUSTR_POINT_STATUSTR_PORT_STATUSTR_PROGRAM_STATUSTR_SCAN_STATUSTR_SHUTDOWNTR_SLOT_STATUSAppendix APeer-to-Peer Communication

92 TR_VOTE_MODE Function BlockStructured TextFUNCTION_BLOCK TR_VOTE_MODEVAR_INPUTCI : BOOL := TRUE ; (* Control in. *)IN_TMR : BOOL ; (* 3 channels operating. *)GE_DUAL : BOOL ; (* 2 or more channels operating. *)GE_SINGLE : BOOL ; (* 1 or more channels operating. *)END_VARVAR_OUTPUTCO : BOOL ; (* Control out. *)TMR : BOOL ; (* Triple Modular Redundant. *)DUAL : BOOL ; (* Dual mode. *)SINGL : BOOL ; (* Single mode. *)ZERO : BOOL ; (* Zero mode. *)END_VARVARU : BOOL ; (* Unused Value. *)END_VAR(**=F===============================================================================* FUNCTION_BLOCK: TR_VOTE_MODE* Purpose: Convert redundancy status.** Return: none** Remarks:* 1. Convert redundancy status (TMR, GE_DUAL, GE_SINGLE)* to (TMR, DUAL, SINGL, ZERO).* 2. "GE_" denotes "greater than or equal to".* 3. CO is true if CI is true and there is no programming error.** Runtime Errors* EBADPARAM Bad parameter* CO=false indicates a programming error if CI=true.* The outputs are all false if there is a programming error.*=F==============================================================================*)CO := CI ;IF CI THENCO := GE_DUAL AND GE_SINGLE OR NOT GE_DUAL AND NOT IN_TMR;IF CO THENTMR := IN_TMR ;DUAL := GE_DUAL AND NOT IN_TMR ;SINGL := GE_SINGLE AND NOT GE_DUAL ;ZERO := NOT GE_SINGLE ;ELSEU := ReportBadParam(0) ;TMR := FALSE ;DUAL := FALSE ;SINGL := FALSE ;ZERO := FALSE ;END_IF ;END_IF ;END_FUNCTION_BLOCKTricon Safety Considerations Guide

TR_VOTE_MODE Function Block 93Appendix APeer-to-Peer Communication

94 TR_VOTE_MODE Function BlockTricon Safety Considerations Guide

APPENDIX BShutdown Function BlocksThis appendix provides information about shutdown function blocks.Topics include:“TR_CRITICAL_IO Function Block” . . . . . . . . . . . . . . . . . . . . . . . 96“TR_SHUTDOWN Function Block” . . . . . . . . . . . . . . . . . . . . . . . 103“TR_VOTE_MODE Function Block” . . . . . . . . . . . . . . . . . . . . . . 111Tricon Safety Considerations Guide

96 TR_CRITICAL_IO Function BlockTR_CRITICAL_IO Function BlockAccumulates Status of Critical I/O ModulesThe TR_CRITICAL_IO function block provides an easy way to accumulate thestatus of all safety-critical I/O modules in a Tricon system.Instructions for UseThe following instructions for using the TR_CRITICAL_IO function block applyto the Structured Text (ST) language.▼To obtain the accumulated status of critical I/O modules:1 Initialize TR_CRITICAL_IO by invoking it once with INIT := TRUE.SCIO( INIT := TRUE );where SCIO is the function block instance name2 To complete initialization, invoke TR_CRITICAL_IO again as follows:SCIO( INIT := FALSE, CI := TRUE, APP:=DE_ENERGIZED, RELAY_OK:=FALSE );where SCIO is the function block instance name3 To get the status of all safety-critical I/O modules, invoke each module byspecifying these input values:• CHASSIS• SLOT• APP• RELAY_OKIf CHASSIS 1 SLOT 1 is a critical DI module, and CHASSIS 1 SLOT 2 is acritical DO module with a relay, then the following example applies. SCIO isthe function block instance name:SCIO(CHASSIS:=1,SLOT:=1,APP:=DE-ENERGIZED,RELAY_OK:=FALSE);SCIO(CHASSIS:=1,SLOT:=2,APP:=RELAY,RELAY_OK:=RELAY1_OK);Tricon Safety Considerations Guide

TR_CRITICAL_IO Function Block 974 Read the output values:– CO– TMR– GE_DUAL– GE_SINGLE– NO_VOTER_FAULTSThe output values are an accumulation of the status of all critical I/O modules.For example, the output called TMR is true if all of the critical modules in thesystem are in TMR mode.InputsParameter Type DescriptionCI BOOL Control In—enablesoperationINIT BOOL InitializeCHASSIS DINT Chassis number (1–15)SLOT DINT Physical slot number mustbe odd (1, 3...15)APP DINT Application number (1–2)RELAY_OK BOOL Relay is energized and notstuckOutputs CO BOOL Critical I/O Control OutTMR BOOL Three channels areoperating without faults onevery critical I/O moduleGE_DUAL BOOL At least two channels areoperating without faults onevery critical I/O moduleGE_SINGLE BOOL At least one channel isoperating without faults onevery critical I/O moduleNO_VOTER_FLTS BOOL No voter faults on criticalI/O modulesAppendix BShutdown Function Blocks

98 TR_CRITICAL_IO Function BlockParameter Type DescriptionOutputs ERROR DINT Error Number:0 = No error-1 = Slot is not odd or notnumbered 1–15-2 = Invalid chassis or slot-3 = Module not configured-4 = Reserved (not used)-5 = Invalid applicationnumber-6 = Not initializedRuntime Error Code Return Value ConditionEBADPARAMBad parameterNote If there is a programming error, then CO is false and the error number isnon-zero. For more information, see ERROR above.App Relay_OK DescriptionRELAY True A single fault (even a voter fault) degrades themode to dual. The relay provides a third channelfor shutdown so that if an output voter fails,there remain two independent channels (therelay and other ouput voter channel) that can deenergizethe output.RELAY False A voter fault degrades the mode to single. ADE-ENERGIZED —non-voter fault degrades the mode to dual.AttributeApplication TypeProgramming UsageCEM FeatureUsageSafety, ControlN/AN/ALibraryTriconTricon Safety Considerations Guide

TR_CRITICAL_IO Function Block 99Related TopicsTR_64_POINT_STATUSTR_CALENDARTR_MP_STATUSTR_PEER_STATUSTR_POINT_STATUSTR_PORT_STATUSTR_PROGRAM_STATUSTR_SCAN_STATUSTR_SHUTDOWNTR_SLOT_STATUSTR_VOTE_MODEAppendix BShutdown Function Blocks

100 TR_CRITICAL_IO Function BlockStructured TextFUNCTION_BLOCK TR_CRITICAL_IOVAR_INPUTCI : BOOL := TRUE ; (* Control in. *)INIT : BOOL ; (* Initialize *)CHASSIS : DINT ; (* Chassis number 1-15 *)SLOT : DINT ; (* Physical SLOT odd number 1,3..15 *)APP : DINT ; (* Application number 1-2 *)RELAY_OK : BOOL := TRUE ; (* Relay is energized and not stuck. *)END_VARVAR_OUTPUTCO : BOOL ; (* Critical IO Control out. *)TMR : BOOL := TRUE ; (* Critical IO 3 channels operating. *)GE_DUAL : BOOL ; (* Critical IO 2 or more channels operating. *)GE_SINGLE : BOOL ; (* Critical IO 1 or more channels operating. *)NO_VOTER_FLTS : BOOL ; (* No voter faults on critical modules. *)ERROR : DINT ; (* Error number. *)(** Error number:* 0 = No error.* -1 = Slot is not odd or not in 1..15.* -2 = Chassis or slot is invalid.* -3 = Module not configured.* -4 = Reserved (not used).* -5 = Application number is invalid.* -6 = Not initialized.*)END_VARVARPREVIOUS_INIT : BOOL ; (* INIT on previous evaluation. *)MP : TR_MP_STATUS ; (* MP status. *)LEFT_SLOT : TR_SLOT_STATUS ; (* Left slot status. *)RIGHT_SLOT : TR_SLOT_STATUS ; (* Right slot status. *)RELAY : DINT := 1 ; (* De-energized to trip with relay *)DE_ENERGIZED : DINT := 2 ; (* De-energized to trip with no relay *)U : BOOL ; (* Unused value. *)LEFT_GE_SINGLE : BOOL ; (* Left slot, mode >= single. *)LEFT_GE_DUAL : BOOL ; (* Left slot, mode >= dual. *)LEFT_TMR : BOOL ; (* Left slot, mode = tmr. *)RIGHT_GE_SINGLE : BOOL ; (* Right slot, mode >= single. *)RIGHT_GE_DUAL : BOOL ; (* Right slot, mode >= dual. *)RIGHT_TMR : BOOL ; (* Right slot, mode = tmr. *)VOTER_FAULT : BOOL ; (* Voter fault on either slot. *)END_VAR(**=F===============================================================================* FUNCTION_BLOCK: TR_CRITICAL_IO* Purpose: Calculate status of critical IO modules.** Return: none** Remarks:* Usage* 1. Invoke once with INIT := TRUE, to initialize.* 2. Invoke again with INIT := FALSE, CI := TRUE, APP := DE_ENERGIZED, andTricon Safety Considerations Guide

TR_CRITICAL_IO Function Block 101* RELAY_OK := FALSE to complete initialization.* 3. Invoke repeatedly, once for each critical IO module.* 4. Read outputs CO, TMR, GE_DUAL, and GE_SINGLE for safety critical results.** In step 3, invoke with the CHASSIS and SLOT of the critical IO module,* the module application, and the relay status.* For example, if CHASSIS 1 SLOT 5 is a critical DO module with a relay,* and SCIO is the function block instance name:* SCIO( CHASSIS:=1, SLOT:= 5, APP:=RELAY, RELAY_OK:=RELAY1_OK );** Slot Number* Each logical IO slot consists of two physical slots,* a left slot and a right slot. By convention,* the physical slot number of the left slot is always odd.* The SLOT parameter is the physical slot number of the left slot.** Application* The APP parameter for a module selects the effect of a fault* on the vote mode outputs of the shutdown function blocks.* APP:=RELAY with RELAY_OK:=true* A sinlge fault (even a voter fault) degrades the mode to DUAL.* The relay provides a third channel for shutdown,* so if an output voter fails, there are still* two independent channels that can de-energize the output,* i.e., the relay and the other output voter channel.* APP:=RELAY with RELAY_OK:=false, or* APP:=DE_ENERGIZED* A voter fault degrades the mode to SINGLE.* A non-voter fault degrades the mode to DUAL.** Runtime Errors* EBADPARAM Bad parameter* CO=FALSE indicates a programming error.* See ERROR number parameter for details.*=F===============================================================================*)IF INIT THENMP( CI := TRUE ) ;CO := MP.CO ;TMR := TRUE ;GE_DUAL := TRUE ;GE_SINGLE := TRUE ;NO_VOTER_FLTS := TRUE ;ELSIF PREVIOUS_INIT THEN; (* No operation. *)ELSIF CI AND CO THENIF (DINT_TO_DWORD(SLOT) AND 1) 1 OR SLOT

102 TR_CRITICAL_IO Function BlockCO := FALSE ;END_IF ;END_IF ;IF CO THENIF NOT ( LEFT_SLOT.PASS OR LEFT_SLOT.FAILOR LEFT_SLOT.ACTIVE OR LEFT_SLOT.INSTALLEDOR RIGHT_SLOT.PASS OR RIGHT_SLOT.FAILOR RIGHT_SLOT.ACTIVE OR RIGHT_SLOT.INSTALLED ) THENERROR := -3 ; (* Module not configured. *)U := ReportBadParam(0) ;CO := FALSE ;END_IF ;END_IF ;IF CO THENLEFT_GE_SINGLE := LEFT_SLOT.INSTALLED AND LEFT_SLOT.ACTIVE ;LEFT_GE_DUAL := LEFT_GE_SINGLEAND NOT LEFT_SLOT.NOGOOD ;LEFT_TMR := LEFT_GE_DUALAND LEFT_SLOT.PASS AND NOT LEFT_SLOT.FAIL ;RIGHT_GE_SINGLE := RIGHT_SLOT.INSTALLED AND RIGHT_SLOT.ACTIVE ;RIGHT_GE_DUAL := RIGHT_GE_SINGLEAND NOT RIGHT_SLOT.NOGOOD ;RIGHT_TMR := RIGHT_GE_DUALAND RIGHT_SLOT.PASS AND NOT RIGHT_SLOT.FAIL ;VOTER_FAULT := LEFT_SLOT.VOTER_FAULT OR RIGHT_SLOT.VOTER_FAULT ;TMR := TMR AND (LEFT_TMR OR RIGHT_TMR) ;GE_DUAL := GE_DUAL AND (LEFT_GE_DUAL OR RIGHT_GE_DUAL) ;GE_SINGLE := GE_SINGLE AND (LEFT_GE_SINGLE OR RIGHT_GE_SINGLE) ;NO_VOTER_FLTS := NO_VOTER_FLTS AND NOT VOTER_FAULT ;IF APP = RELAY AND RELAY_OK THENTMR := TMR AND NOT VOTER_FAULT ;ELSIF APP = DE_ENERGIZED OR APP = RELAY AND NOT RELAY_OK THENTMR := TMR AND NOT VOTER_FAULT ;GE_DUAL := GE_DUAL AND NOT VOTER_FAULT ;ELSEERROR := -5 ; (* Application number is invalid *)U := ReportBadParam(0) ;CO := FALSE ;END_IF ;END_IF ;END_IF ;IF ERROR = 0 AND NOT CO THENERROR := -6 ; (* Not initialized *)U := ReportBadParam(0) ;END_IF ;IF NOT CO THENTMR := FALSE ;GE_DUAL := FALSE ;GE_SINGLE := FALSE ;NO_VOTER_FLTS := FALSE ;END_IF ;PREVIOUS_INIT := INIT ;END_FUNCTION_BLOCKTricon Safety Considerations Guide

TR_SHUTDOWN Function Block 103TR_SHUTDOWN Function BlockEnable System ShutdownThe TR_SHUTDOWN function block provides an easy way to enable systemshutdown according to industry guidelines.Parameter Type DescriptionInputs CI BOOL Control In—enablesoperationIf CI=FALSE, thenCO=FALSE—there is nochange in the output valueIf CI=TRUE andERROR_NUM=0, thenCO=TRUEIO_CO BOOL Critical I/O Control Out—True indicates that a userdefinedfunction blockprovides the status forcritical I/O modulesIO_TMR BOOL Three channels areoperating without faults onevery critical I/O moduleIO_GE_DUAL BOOL At least two channels areoperating without faults onevery critical I/O moduleIO_GE_SINGLE BOOL At least one channel isoperating without faults onevery critical I/O moduleIO_NO_VOTER_FLTS BOOL No voter faults exist oncritical I/O modulesIO_ERROR DINT Zero means no error—nonzeromeans there is aprogramming error or aconfiguration errorAppendix BShutdown Function Blocks

104 TR_SHUTDOWN Function BlockParameter Type DescriptionInputs MAX_TIME_DUAL TIME Maximum time ofcontinuous operation in dualmode (with only twochannels)MAX_TIME_SINGLE TIME Maximum time ofcontinuous operation insingle mode (with only onechannel)MAX_SCAN_TIME TIME 50% of the maximumresponse timeOutputs CO BOOL Control OutOPERATING BOOL Shutdown if FALSETMR BOOL Three channels operatingDUAL BOOL Dual modeSINGL BOOL Single modeZERO BOOL Zero modeTIMER_RUNNING BOOL Shutdown timer is runningTIME_LEFT TIME Time remaining toshutdownALARM_PROGRAMMING_PERMITTEDBOOLTrue if application changesare permittedALARM_REMOTE_ACCESS BOOL True if remote-host writesare enabledALARM_RESPONSE_TIME BOOL True if actual scan time ≥MAX_SCAN_TIMEALARM_DISABLED_POINTS BOOL True if one or more pointsare disabledTricon Safety Considerations Guide

TR_SHUTDOWN Function Block 105Parameter Type DescriptionOutputs ERROR_NUM DINT Error Number:0 = No error1 = Error in maximum time2 = Error in I/O functionblock (IO_ERRORinput is non-zero)3 = Error in status functionblockRuntime Error Code Return Value ConditionEBADPARAMBad parameterNote If there is a programming error, then CO is false and the error number isnon-zero. For more information, see ERROR_NUM.AttributeApplication TypeProgramming UsageCEM FeatureUsageSafety, ControlN/AN/ALibraryTriconAppendix BShutdown Function Blocks

106 TR_SHUTDOWN Function BlockRelated TopicsTR_64_POINT_STATUSTR_CALENDARTR_CRITICAL_IOTR_MP_STATUSTR_PEER_STATUSTR_POINT_STATUSTR_PORT_STATUSTR_PROGRAM_STATUSTR_SCAN_STATUSTR_SLOT_STATUSTR_VOTE_MODETricon Safety Considerations Guide

TR_SHUTDOWN Function Block 107Structured TextFUNCTION_BLOCK TR_SHUTDOWNVAR_INPUTCI : BOOL := TRUE ; (* Control in. *)IO_CO : BOOL ; (* Critical IO Control out. *)IO_TMR : BOOL ; (* Critical IO 3 channels operating. *)IO_GE_DUAL : BOOL ; (* Critical IO 2 or more channels operating. *)IO_GE_SINGLE : BOOL ; (* Critical IO 1 or more channels operating. *)IO_NO_VOTER_FLTS : BOOL ; (* No voter faults on critical modules. *)IO_ERROR : DINT ; (* Error number, 0 = no error. *)MAX_TIME_DUAL : TIME := T#40000d ; (* Max Time with only 2 channels. *)MAX_TIME_SINGLE : TIME := T#40000d ; (* Max Time with only 1 channel. *)MAX_SCAN_TIME : TIME := T#400ms ; (* 50% of Max Response Time. *)END_VARVAR_OUTPUTCO : BOOL ; (* Control out. *)OPERATING : BOOL ; (* Shutdown if OPERATING=FALSE. *)TMR : BOOL ; (* Three channels operating. *)DUAL : BOOL ; (* Dual mode. *)SINGL : BOOL ; (* Single mode. *)ZERO : BOOL ; (* Zero mode. *)TIMER_RUNNING : BOOL ; (* Shutdown timer is running. *)TIME_LEFT : TIME ; (* Time remaining to shutdown. *)ALARM_PROGRAMMING_PERMITTED : BOOL ; (* Alarm -- download change. *)ALARM_REMOTE_ACCESS : BOOL ; (* Alarm -- remote host writes. *)ALARM_RESPONSE_TIME : BOOL ; (* Alarm -- exceed response time. *)ALARM_DISABLED_POINTS : BOOL ; (* Alarm -- some points disabled. *)ERROR : DINT ; (* Error number. *)(** Error number:* 0 = No error.* 1 = Error in maximum time.* 2 = IO function block error - IO_ERROR is non-zero.* 3 = Status function block error.*)END_VARVARGE_DUAL : BOOL ; (* Two or more channels operating. *)GE_SINGLE : BOOL ; (* One or more channels operating. *)MP : TR_MP_STATUS ; (* MP status. *)PROG : TR_PROGRAM_STATUS ; (* Program status. *)SCAN : TR_SCAN_STATUS ; (* Scan status. *)DUAL_TIME : TON ; (* Dual mode timer. *)SINGLE_TIME : TON ; (* Single mode timer. *)U : BOOL ; (* Unused Value. *)END_VAR(**=F===============================================================================* FUNCTION_BLOCK: TR_SHUTDOWN* Purpose: Implement TUV restrictions.** Return: none** Remarks:*Appendix BShutdown Function Blocks

108 TR_SHUTDOWN Function Block* Example EX01_SHUTDOWN shows one way to check that* the safety system is operating within spec when* every module in the safety system is safety critical.* The example uses the Tricon Library function block* TR_SHUTDOWN - one instance named CRITICAL_MODULES.* The output CRITICAL_MODULES.OPERATING indicates* that all safety critical modules are operating* within spec. Input MAX_TIME_DUAL specifies the* maximum time allowed with two channels operating* (for example, 1500 hours).* Input MAX_TIME_SINGLE specifies the maximum time allowed* with only one channel operating (for example, 72 hours).* When CRITICAL_MODULES.OPERATING is FALSE,* the time in degraded operation exceeds the* specified limits -- therefore the control program* should shutdown the plant.** Excluding output voter faults and field faults -- TMR implies* three channels with no detected fatal errors, GE_DUAL implies* at least two channels with no detected fatal errors,* and GE_SINGLE implies at least one channel* with no detected fatal errors -- for every path* from a safety critical input to a safety critical output.* Detected output voter faults reduce TMR or GE_DUAL to GE_SINGLE.* (See example EX02_SHUTDOWN to improve availability* using relays and advanced programming techniques.)** The "TMR" output indicates TMR.* The "DUAL" output indicates GE_DUAL but not TMR.* The "SINGL" output indicates GE_SINGLE but not GE_DUAL.* The "ZERO" output indicates not GE_SINGLE.* The "TIMER_RUNNING" output indicates that* the time left to shutdown is decrementing.* The "TIME_LEFT" output indicates the time remaining before shutdown.** WARNING - the TR_SHUTDOWN function block* does not use detected field faults or* combinations of faults reported as field faults.* It is the responsibility of the application program* to use system variable NoFieldFault or FieldOK* to detect and respond to such faults.** To see how to create a user-defined function block* to improve availability, see the examples* in the help topic for TR_SHUTDOWN.** NOTE -- If IO_CO is false (for example, if you do not provide* a user-defined function block like the one in example EX02_SHUTDOWN),* then losing all three legs of an active IO module results in* a transition to "SINGL", not "ZERO".** Runtime Errors* EBADPARAM Bad parameter* CO=FALSE indicates a programming error.* See ERROR number parameter for details.*=F===============================================================================*)Tricon Safety Considerations Guide

TR_SHUTDOWN Function Block 109IF CI THENMP( CI := TRUE ) ;PROG( CI := TRUE ) ;SCAN( CI := TRUE ) ;ERROR := 0 ;IFMAX_TIME_DUAL < MAX_TIME_SINGLE ORMAX_TIME_DUAL < T#0S ORMAX_TIME_SINGLE < T#0S ORMAX_SCAN_TIME < T#0STHENERROR := 1 ;ELSIF IO_ERROR 0 THENERROR := 2 ;ELSIF NOT (MP.CO AND PROG.CO AND SCAN.CO) THENERROR := 3 ;END_IF ;CO := ERROR = 0 ;(* Get Status *)(* Check for programming errors. *)IF CO THENTMR := NOT MP.MPMAIN AND(NOT IO_CO AND NOT MP.IOMAINOR IO_CO AND IO_TMR);(* Summarize redundancy. *)GE_DUAL := NOT MP.MPBAD AND(NOT IO_CO AND NOT MP.IOBADOR IO_CO AND IO_GE_DUAL);GE_SINGLE :=(NOT IO_COOR IO_CO AND IO_GE_SINGLE);(* Update timers. *)DUAL_TIME( IN := NOT TMR, PT := MAX_TIME_DUAL ) ;SINGLE_TIME( IN := NOT GE_DUAL, PT := MAX_TIME_SINGLE ) ;(* Shutdown if excessive time in degraded operation. *)OPERATING :=GE_SINGLEAND NOT DUAL_TIME.QAND NOT SINGLE_TIME.Q;DUAL := GE_DUAL AND NOT TMR ;SINGL := GE_SINGLE AND NOT GE_DUAL ;ZERO := NOT GE_SINGLE ;(* Output current status. *)Appendix BShutdown Function Blocks

110 TR_SHUTDOWN Function BlockTIMER_RUNNING := OPERATING AND NOT TMR ;(* Output time remaining to shutdown. *)IF NOT OPERATING THENTIME_LEFT := T#0s ;ELSIF TMR THENTIME_LEFT := T#999999d ;ELSIF GE_DUAL ORMAX_TIME_DUAL-DUAL_TIME.ET MAX_SCAN_TIME ;ALARM_DISABLED_POINTS := PROG.POINTS_DISABLED > 0 ;ELSEU := ReportBadParam(0) ;(* Programming error. *)OPERATING := FALSE ;TMR := FALSE ;GE_DUAL := FALSE ;GE_SINGLE := FALSE ;DUAL := FALSE ;SINGL := FALSE ;ZERO := FALSE ;TIMER_RUNNING := FALSE ;TIME_LEFT := T#0S;ALARM_PROGRAMMING_PERMITTED := TRUE ;ALARM_REMOTE_ACCESS := TRUE ;ALARM_RESPONSE_TIME := TRUE ;ALARM_DISABLED_POINTS := TRUE ;END_IF ;END_IF ;END_FUNCTION_BLOCKTricon Safety Considerations Guide

TR_VOTE_MODE Function Block 111TR_VOTE_MODE Function BlockConverts Redundancy StatusThe TR_VOTE_MODE function block provides an easy way to convertredundancy status from one voting mode to another, as shown in the followingtruth table.TMR GE_DUAL GE_SINGLE TMR DUAL SINGL ZEROT T T T F F FF T T F T F FF F T F F T FF F F F F F TOther 1F F F F1. If there is an error in the inputs, then CO is false, the mode outputs are false, and the functionblock reports a bad parameter error (EBADPARAM).Note To save memory and reduce scan time when using this function block,create a single instance of the function block in your program and invoke itmultiple times. Do not use the same instance more than once in a network.Parameter Type DescriptionInputs CI BOOL Control In—enables operationIf CI=FALSE, then CO=FALSE—there is nochange in the output valueIf CI=TRUE and ERROR_NUM=0, then CO=TRUEIN_TMR BOOL Three critical I/O channels operatingGE_DUAL BOOL Two or more critical I/O channels operatingGE_SINGLE BOOL One or more critical I/O channels operatingOutputs CO BOOL Control Out—indicates completion of theoperation with no errorsAppendix BShutdown Function Blocks

112 TR_VOTE_MODE Function BlockParameter Type DescriptionOutput TMR BOOL Three critical I/O channels operatingDUAL BOOL Dual modeSINGL BOOL Single modeZERO BOOL Zero modeRuntime Error Code Return Value ConditionEBADPARAMBad parameterNote If there is a programming error, then CO is false and the mode outputs areset to false.AttributeApplication TypeProgramming UsageCEM FeatureUsageSafety, ControlSpace SaverN/ALibraryTriconRelated TopicsTR_64_POINT_STATUSTR_CALENDARTR_CRITICAL_IOTR_MP_STATUSTR_PEER_STATUSTR_POINT_STATUSTR_PORT_STATUSTR_PROGRAM_STATUSTR_SCAN_STATUSTR_SHUTDOWNTR_SLOT_STATUSTricon Safety Considerations Guide

TR_VOTE_MODE Function Block 113Structured TextFUNCTION_BLOCK TR_VOTE_MODEVAR_INPUTCI : BOOL := TRUE ; (* Control in. *)IN_TMR : BOOL ; (* 3 channels operating. *)GE_DUAL : BOOL ; (* 2 or more channels operating. *)GE_SINGLE : BOOL ; (* 1 or more channels operating. *)END_VARVAR_OUTPUTCO : BOOL ; (* Control out. *)TMR : BOOL ; (* Triple Modular Redundant. *)DUAL : BOOL ; (* Dual mode. *)SINGL : BOOL ; (* Single mode. *)ZERO : BOOL ; (* Zero mode. *)END_VARVARU : BOOL ; (* Unused Value. *)END_VAR(**=F===============================================================================* FUNCTION_BLOCK: TR_VOTE_MODE* Purpose: Convert redundancy status.** Return: none** Remarks:* 1. Convert redundancy status (TMR, GE_DUAL, GE_SINGLE)* to (TMR, DUAL, SINGL, ZERO).* 2. "GE_" denotes "greater than or equal to".* 3. CO is true if CI is true and there is no programming error.** Runtime Errors* EBADPARAM Bad parameter* CO=false indicates a programming error if CI=true.* The outputs are all false if there is a programming error.*=F==============================================================================*)CO := CI ;IF CI THENCO := GE_DUAL AND GE_SINGLE OR NOT GE_DUAL AND NOT IN_TMR;IF CO THENTMR := IN_TMR ;DUAL := GE_DUAL AND NOT IN_TMR ;SINGL := GE_SINGLE AND NOT GE_DUAL ;ZERO := NOT GE_SINGLE ;ELSEU := ReportBadParam(0) ;TMR := FALSE ;DUAL := FALSE ;SINGL := FALSE ;ZERO := FALSE ;END_IF ;END_IF ;END_FUNCTION_BLOCKAppendix BShutdown Function Blocks

114 TR_VOTE_MODE Function BlockTricon Safety Considerations Guide

Index 115IndexAactual scan time 53alarmsAnalog Input Module 44Analog Output Module 44Digital Input Module 43Digital Output Module 43disabled points 24, 68I/O modules 45output operation 59, 64programming permitted 68Relay Output Module 45remote access 68semaphore flags 46system attributes 47Analog Input Modulealarms 44diagnostics 44Analog Output Modulealarms 44diagnostics 44analysishazard and risk 5ANSI/ISA S84.01 16application-specific standards 17architecturesystem 38TMR 38Bblock valveequation for calculating PFD avg 9burner management systems 21busTribus 38Ccalculating PFD avgequation for block valves 9equation for sensors 9equation for system 9calculationSIL example 8certificationTÜV Rheinland 20commandsCompare to Last Download 52Download All 25Download Change 51Upload and Verify 52communicationexternal 46serial 32Compare to Last Download command 52contacting Triconex viiiconvertingredundancy status 90, 111critical I/O modulesaccumulating status 75, 96CSA C22.2 NO 199 17customer support viiiDdesign requirements 33development guidelines 50diagnosticsAnalog Input Module 44Analog Output Module 44Digital Input Module 43Digital Output Module 43disable output voter 25Tricon Safety Considerations Guide

116 IndexRelay Output Module 45system 39Digital Input Modulealarms 43diagnostics 43Digital Output Modulealarms 43diagnostics 43DIN V 19250 15DIN V VDE 0801 15DIN VDE 0116 17disable output voter diagnostics 25disabled points alarms 24, 68Download All command 25Download Change command 51Eemergency shutdown system 21EN 54, part 3 17equationscalculating PFD avg for sensors 9calculating PFD avg for system 9calculating PFD avg for block valves 9EX01_shutdown program 56EX02_shutdown program 61EX03_shutdown program 67external communication 46external faults 40FfactorsSIL 4SIS 5faultsexternal 40internal 40types 40fire and gas systems 22flagssemaphore 46functionsModbus master 25Ggeneral guidelines 20guidelinesdevelopment 50general 20SIL 27–30SIL fire and gas 28, 30SIL general 27, 29Tricon controller 23Hhazard and risk analysis 5II/O modulesaccumulating status 75, 96alarms 45system-critical 55IEC 61508, parts 1–7 16IEC 61511 16Input Module alarmsAnalog 44Digital 43Input Module diagnosticsAnalog 44Digital 43input parameters 57, 62installation checkTriStation 50internal faults 40Llayersprotection 5life cycle modelsafety 12MMain Processorsystem attributes 47Tribus 46maintenance overrides 32Tricon Safety Considerations Guide

Index 117Modbus master functions 25modelsafety life cycle 12modesoperating 41module alarmsAnalog Input 44Analog Output 44Digital Input 43Digital Output 43I/O 45Relay Output 45module diagnosticsAnalog Input 44Analog Output 44Digital Input 43Digital Output 43Relay Output 45modulesaccumulating status 75, 96safety-critical 24system-critical shutdown program for all55system-critical shutdown program forsome 60NNFPA 72 17NFPA 8501 17NFPA 8502 17Ooperating modesdual 41single 41TMR 41zero 41operating requirements 34operationalarm output 59, 64Output Module alarmsAnalog 44Digital 43Relay 45Output Module diagnosticsAnalog 44Digital 43Relay 45output operation alarms 64output parameters 58, 63output voter diagnosticsdisable 25OVDSee output voter diagnosticsoverridesmaintenance 32overrunscan 54overviewsafety 5Pparametersinput 62output 58partitioning processes 66Peer-to-Peer communication 25description of function blocks for 70, 96Peer-to-Peer function blocksdata transfer time 70, 96errors 71examples 72rules for correct usage 70, 96using with critical data 26permitted alarmsprogramming 68PFD avg for block valveequation for calculating 9PFD avg for sensorsequation for calculating 9PFD avg for systemequation for calculating 9points alarmsdisabled 68processespartitioning 66Tricon Safety Considerations Guide

118 Indexprogramming permitted alarm 68programsEX01_shutdown 56EX02_shutdown 61EX03_shutdown 67safety-shutdown for all system-criticalI/O modules 55safety-shutdown for some system-criticalI/O modules 60protection layers 5Rredundancy statusconverting 90, 111Relay Output Modulealarms 45diagnostics 45requested scan time 53requirementsdesign 33operating 34response time and scan time 24, 68Ssafety life cycle model 12safety overview 5safety-critical modules 24safety-shutdown 24networks 24programs for all system-critical I/Omodules modules 55programs for some system-critical I/Omodules 60scan overrun 54scan surplus 53scan time 53actual 53requested 53response time and 24, 68semaphore flags 46sensorsequation for calculating PFD avg 9serial communication 32shutdownenabling for Tricon 82, 103programs for all system-critical I/Omodules 55programs for some system-critical I/Omodules 60safe 24systems emergency 21SILcalculation example 8factors 4fire and gas guidelines 28, 30general guidelines 27, 29guidelines 27–30SISfactors 5standardsapplication-specific 17general 15–16statusof critical I/O modules 75, 96surplusscan 53SYS_SHUTDOWN parametersinput 57output 63systemarchitecture 38attributes as alarms 47attributes of Main Processor 47diagnostics 39enabling shutdown for Tricon 82, 103equation for calculating PFD avg 9system-critical I/O modulessafety-shutdown program for all 55safety-shutdown program for some 60systemsburner management 21emergency shutdown 21fire and gas 22Ttechnical support viiiTricon Safety Considerations Guide

Index 119timescan 53TMR architecture 38TR_SHUTDOWN function block 82, 103TR_VOTE_MODE function block 90,111training xTribusMain Processor 46system architecture 38Triconex support viiiTriple Module RedundantSee TMRTriStation Install Check 50TÜV Rheinland certification 20types of faults 40UUpload and Verify command 52Vvoter diagnosticsdisable output 25Tricon Safety Considerations Guide

120 IndexTricon Safety Considerations Guide